fix: DEV-2235: Fix blind SSRF on add model and import (#2450)

* fix: DEV-2235: Fix blind SSRF on add model and import

* Fix ip check (DEV-2235)

* Disable bandit check (DEV-2235)

Author: triklozoid

label_studio/core/settings/base.py

@@ -367,6 +367,8 @@
 CSRF_COOKIE_SECURE = bool(int(get_env('CSRF_COOKIE_SECURE', SESSION_COOKIE_SECURE)))
 CSRF_COOKIE_HTTPONLY = bool(int(get_env('CSRF_COOKIE_HTTPONLY', SESSION_COOKIE_SECURE)))
 
+SSRF_PROTECTION_ENABLED = get_bool_env('SSRF_PROTECTION_ENABLED', False)
+
 # user media files
 MEDIA_ROOT = os.path.join(BASE_DATA_DIR, 'media')
 os.makedirs(MEDIA_ROOT, exist_ok=True)

label_studio/core/utils/exceptions.py

@@ -42,3 +42,13 @@ class LabelStudioValidationErrorSentryIgnored(ValidationError):
 
 class LabelStudioXMLSyntaxErrorSentryIgnored(Exception):
     pass
+
+
+class ImportFromLocalIPError(LabelStudioAPIException):
+    default_detail = 'Importing from local IP is not allowed'
+    status_code = status.HTTP_403_FORBIDDEN
+
+
+class MLModelLocalIPError(LabelStudioAPIException):
+    default_detail = 'Adding models with local IP is not allowed'
+    status_code = status.HTTP_403_FORBIDDEN

label_studio/core/utils/io.py

@@ -1,6 +1,8 @@
 """This file and its contents are licensed under the Apache License 2.0. Please see the included NOTICE for copyright information and LICENSE for a copy of the license.
 """
 import os
+import socket
+import ipaddress
 import pkg_resources
 import shutil
 import glob
@@ -9,6 +11,7 @@
 import itertools
 import yaml
 
+from urllib.parse import urlparse
 from contextlib import contextmanager
 from tempfile import mkstemp, mkdtemp
 
@@ -163,3 +166,27 @@ def __init__(self, iterable):
 
     def __iter__(self):
         return itertools.chain(self._head, *self[:1])
+
+
+def url_is_local(url):
+    domain = urlparse(url).hostname
+    try:
+        ip = socket.gethostbyname(domain)
+    except socket.error:
+        from core.utils.exceptions import LabelStudioAPIException
+        raise LabelStudioAPIException(f"Can't resolve hostname {domain}")
+    else:
+        if ip in (
+            '0.0.0.0', # nosec
+        ):
+            return True
+        local_subnets = [
+            '127.0.0.0/8',
+            '10.0.0.0/8',
+            '172.16.0.0/12',
+            '192.168.0.0/16',
+        ]
+        for subnet in local_subnets:
+            if ipaddress.ip_address(ip) in ipaddress.ip_network(subnet):
+                return True
+        return False

label_studio/data_import/api.py

@@ -205,6 +205,7 @@ def create(self, request, *args, **kwargs):
         project = generics.get_object_or_404(Project.objects.for_user(self.request.user), pk=self.kwargs['pk'])
 
         # upload files from request, and parse all tasks
+        # TODO: Stop passing request to load_tasks function, make all validation before
         parsed_data, file_upload_ids, could_be_tasks_lists, found_formats, data_columns = load_tasks(request, project)
 
         if preannotated_from_fields:

label_studio/data_import/uploader.py

@@ -19,6 +19,8 @@
 from urllib.request import urlopen
 
 from .models import FileUpload
+from core.utils.io import url_is_local
+from core.utils.exceptions import ImportFromLocalIPError
 
 logger = logging.getLogger(__name__)
 csv.field_size_limit(131072 * 10)
@@ -131,6 +133,8 @@ def load_tasks(request, project):
 
         # download file using url and read tasks from it
         else:
+            if settings.SSRF_PROTECTION_ENABLED and url_is_local(url):
+                raise ImportFromLocalIPError
             data_keys, found_formats, tasks, file_upload_ids = tasks_from_url(
                 file_upload_ids, project, request, url
             )

label_studio/ml/serializers.py

@@ -1,10 +1,18 @@
 """This file and its contents are licensed under the Apache License 2.0. Please see the included NOTICE for copyright information and LICENSE for a copy of the license.
 """
+from django.conf import settings
 from rest_framework import serializers
 from ml.models import MLBackend
+from core.utils.io import url_is_local
+from core.utils.exceptions import MLModelLocalIPError
 
 
 class MLBackendSerializer(serializers.ModelSerializer):
+    def validate_url(self, value):
+        if settings.SSRF_PROTECTION_ENABLED and url_is_local(value):
+            raise MLModelLocalIPError
+        return value
+
     def validate(self, attrs):
         attrs = super(MLBackendSerializer, self).validate(attrs)
         url = attrs['url']