SMTP SSRF protection: Edge case handling for CGNAT and v4/v6 mapping (#6264)

pyproject.toml

@@ -30,7 +30,7 @@ dependencies = [
   "arabic-reshaper==3.0.1",  # Support for Arabic in reportlab
   "babel",
   "BeautifulSoup4==4.14.*",
-  "bleach==6.4.*",
+  "bleach==6.3.*",
   "celery==5.6.*",
   "chardet==5.2.*",
   "cryptography>=48.0.0",

src/pretix/api/auth/devicesecurity.py

@@ -20,6 +20,7 @@
 # <https://www.gnu.org/licenses/>.
 #
 import logging
+from collections import OrderedDict
 
 from django.dispatch import receiver
 from django.utils.translation import gettext_lazy as _
@@ -51,18 +52,10 @@ class BaseSecurityProfile:
         """
         raise NotImplementedError()
 
-    @property
-    def priority(self) -> int:
-        """
-        Priority for ordering, higher will come first.
-        """
-        return 100
-
 
 class FullAccessSecurityProfile(BaseSecurityProfile):
     identifier = 'full'
     verbose_name = _('Full device access (reading and changing orders and gift cards, reading of products and settings)')
-    priority = 1000
 
     def is_allowed(self, request):
         return True
@@ -197,15 +190,13 @@ def get_all_security_profiles():
     if _ALL_PROFILES:
         return _ALL_PROFILES
 
-    types = []
+    types = OrderedDict()
     for recv, ret in register_device_security_profile.send(None):
         if isinstance(ret, (list, tuple)):
             for r in ret:
-                types.append(r)
+                types[r.identifier] = r
         else:
-            types.append(ret)
-    types.sort(key=lambda el: el.priority, reverse=True)
-    types = {r.identifier: r for r in types}
+            types[ret.identifier] = ret
     _ALL_PROFILES = types
     return types
 

src/pretix/api/views/checkin.py

@@ -788,10 +788,7 @@ def _redeem_process(*, checkinlists, raw_barcode, answers_data, datetime, force,
             if str(q.pk) in answers_data:
                 try:
                     if q.type == Question.TYPE_FILE:
-                        if answers_data[str(q.pk)]:
-                            given_answers[q] = _handle_file_upload(answers_data[str(q.pk)], user, auth)
-                        else:
-                            given_answers[q] = None
+                        given_answers[q] = _handle_file_upload(answers_data[str(q.pk)], user, auth)
                     else:
                         given_answers[q] = q.clean_answer(answers_data[str(q.pk)])
                 except (ValidationError, BaseValidationError):

src/pretix/base/email.py

@@ -57,6 +57,8 @@ logger = logging.getLogger('pretix.base.email')
 
 T = TypeVar("T", bound=EmailBackend)
 
+_cgnat_net = ipaddress.ip_network('100.64.0.0/10')
+
 
 def test_custom_smtp_backend(backend: T, from_addr: str) -> None:
     try:
@@ -253,12 +255,15 @@ def create_connection(address, timeout=socket.getdefaulttimeout(),
 
         if not getattr(settings, "MAIL_CUSTOM_SMTP_ALLOW_PRIVATE_NETWORKS", False):
             ip_addr = ipaddress.ip_address(sa[0])
+            check_ip4 = ip_addr.ipv4_mapped if getattr(ip_addr, "ipv4_mapped", None) else ip_addr
             if ip_addr.is_multicast:
                 raise socket.error(f"Request to multicast address {sa[0]} blocked")
             if ip_addr.is_loopback or ip_addr.is_link_local:
                 raise socket.error(f"Request to local address {sa[0]} blocked")
             if ip_addr.is_private:
                 raise socket.error(f"Request to private address {sa[0]} blocked")
+            if check_ip4 in _cgnat_net:
+                raise socket.error(f"Request to RFC 6598 address {sa[0]} blocked")
 
         sock = None
         try:

src/pretix/base/exporters/reusablemedia.py

@@ -64,13 +64,7 @@ class ReusableMediaExporter(OrganizerLevelExportMixin, ListExporter):
         yield headers
         yield self.ProgressSetTotal(total=media.count())
 
-        can_read_giftcards = self.permission_holder.has_organizer_permission(self.organizer, 'organizer.giftcards:read')
-
         for medium in media.iterator(chunk_size=1000):
-            giftcard_secret = medium.linked_giftcard.secret if medium.linked_giftcard_id else ''
-            if giftcard_secret and not can_read_giftcards:
-                giftcard_secret = giftcard_secret[:3] + "…"
-
             yield [
                 medium.type,
                 medium.identifier,
@@ -78,7 +72,7 @@ class ReusableMediaExporter(OrganizerLevelExportMixin, ListExporter):
                 date_format(medium.expires, 'SHORT_DATETIME_FORMAT') if medium.expires else '',
                 medium.customer.identifier if medium.customer_id else '',
                 ', '.join([f"{op.order.code}-{op.positionid}" for op in medium.linked_orderpositions.all()]),
-                giftcard_secret,
+                medium.linked_giftcard.secret if medium.linked_giftcard_id else '',
                 medium.notes,
             ]
 

src/pretix/control/views/checkin.py

@@ -401,14 +401,13 @@ class CheckinListUpdate(EventPermissionRequiredMixin, UpdateView):
                 {
                     'id': i.pk,
                     'name': str(i),
-                    'active': i.active,
                     'variations': [
                         {
                             'id': v.pk,
                             'name': str(v.value)
                         } for v in i.variations.all()
                     ]
-                } for i in self.request.event.items.prefetch_related('variations')
+                } for i in self.request.event.items.filter(active=True).prefetch_related('variations')
             ],
             **super().get_context_data(),
         }

src/pretix/helpers/monkeypatching.py

@@ -148,13 +148,14 @@ def monkeypatch_urllib3_ssrf_protection():
 
             if not getattr(settings, "ALLOW_HTTP_TO_PRIVATE_NETWORKS", False):
                 ip_addr = ipaddress.ip_address(sa[0])
+                check_ip4 = ip_addr.ipv4_mapped if getattr(ip_addr, "ipv4_mapped", None) else ip_addr
                 if ip_addr.is_multicast:
                     raise HTTPError(f"Request to multicast address {sa[0]} blocked")
                 if ip_addr.is_loopback or ip_addr.is_link_local:
                     raise HTTPError(f"Request to local address {sa[0]} blocked")
                 if ip_addr.is_private:
                     raise HTTPError(f"Request to private address {sa[0]} blocked")
-                if ip_addr in _cgnat_net:
+                if check_ip4 in _cgnat_net:
                     raise HTTPError(f"Request to RFC 6598 address {sa[0]} blocked")
 
             sock = None

src/pretix/presale/views/widget.py

@@ -128,9 +128,6 @@ def _use_vite(request):
     origin = request.META.get('HTTP_ORIGIN', '')
     gs = GlobalSettingsObject()
     vite_origins = gs.settings.get('widget_vite_origins', as_type=str, default='')
-    if vite_origins and not origin:
-        referer = request.META.get('HTTP_REFERER', '')
-        origin = '/'.join(referer.split('/', 3)[:3])
     if origin and vite_origins:
         origins_list = [o.strip() for o in vite_origins.strip().splitlines() if o.strip()]
         return origin in origins_list

src/pretix/static/pretixcontrol/js/ui/checkinrules/App.vue

@@ -1,6 +1,6 @@
 <script setup lang="ts">
 import { computed } from 'vue'
-import { rules as rawRules, allItems, activeItems, allProducts, limitProducts } from './django-interop'
+import { rules as rawRules, items, allProducts, limitProducts } from './django-interop'
 import { convertToDNF } from './jsonlogic-boolalg'
 
 import RulesEditor from './checkin-rules-editor.vue'
@@ -53,7 +53,7 @@ const missingItems = computed(() => {
 	}
 
 	let missing = []
-	for (const item of activeItems.value) {
+	for (const item of items.value) {
 		if (productsSeen[item.id]) continue
 		if (!allProducts.value && !limitProducts.value.includes(item.id)) continue
 		if (item.variations.length > 0) {
@@ -87,7 +87,7 @@ const missingItems = computed(() => {
 
 		//- Tab panes
 		.tab-content
-			#rules-edit.tab-pane.active(v-if="allItems", role="tabpanel")
+			#rules-edit.tab-pane.active(v-if="items", role="tabpanel")
 				RulesEditor
 			#rules-viz.tab-pane(role="tabpanel")
 				RulesVisualization

src/pretix/static/pretixcontrol/js/ui/checkinrules/django-interop.ts

@@ -26,13 +26,11 @@ watch(rules, (newVal) => {
 	rulesInput.value = JSON.stringify(newVal)
 }, { deep: true })
 
-export const activeItems = ref<any[]>([])
-export const allItems = ref<any[]>([])
+export const items = ref<any[]>([])
 
 const itemsEl = document.querySelector('#items')
 if (itemsEl?.textContent) {
-	allItems.value = JSON.parse(itemsEl.textContent || '[]')
-	activeItems.value = allItems.value.filter(item => item.active)
+	items.value = JSON.parse(itemsEl.textContent || '[]')
 
 	function checkForInvalidIds (validProducts: Record<string, string>, validVariations: Record<string, string>, rule: any) {
 		if (rule['and']) {
@@ -59,8 +57,8 @@ if (itemsEl?.textContent) {
 	}
 
 	checkForInvalidIds(
-		Object.fromEntries(allItems.value.map(p => [p.id, p.name])),
-		Object.fromEntries(allItems.value.flatMap(p => p.variations?.map(v => [v.id, p.name + ' – ' + v.name]) ?? [])),
+		Object.fromEntries(items.value.map(p => [p.id, p.name])),
+		Object.fromEntries(items.value.flatMap(p => p.variations?.map(v => [v.id, p.name + ' – ' + v.name]) ?? [])),
 		rules.value
 	)
 }

src/tests/api/test_checkin.py

@@ -1098,27 +1098,6 @@ def test_question_upload(token_client, organizer, clist, event, order, question)
         assert order.positions.first().answers.get(question=question[0]).file
 
 
-@pytest.mark.django_db
-def test_question_upload_optional(token_client, organizer, clist, event, order, question):
-    with scopes_disabled():
-        p = order.positions.first()
-    question[0].type = 'F'
-    question[0].required = False
-    question[0].save()
-
-    resp = _redeem(token_client, organizer, clist, p.pk, {})
-    assert resp.status_code == 400
-    assert resp.data['status'] == 'incomplete'
-    with scopes_disabled():
-        assert resp.data['questions'] == [QuestionSerializer(question[0]).data]
-
-    resp = _redeem(token_client, organizer, clist, p.pk, {'answers': {question[0].pk: ""}})
-    assert resp.status_code == 201
-    assert resp.data['status'] == 'ok'
-    with scopes_disabled():
-        assert not order.positions.first().answers.filter(question=question[0]).exists()
-
-
 @pytest.mark.django_db
 def test_store_failed(token_client, organizer, clist, event, order):
     with scopes_disabled():

src/tests/base/test_mail.py

@@ -602,10 +602,13 @@ PRIVATE_IPS_RES = [
     [(socket.AF_INET, socket.SOCK_STREAM, 6, '', ('127.1.1.1', 443))],
     [(socket.AF_INET, socket.SOCK_STREAM, 6, '', ('192.168.5.3', 443))],
     [(socket.AF_INET, socket.SOCK_STREAM, 6, '', ('224.0.0.1', 443))],
+    [(socket.AF_INET, socket.SOCK_STREAM, 6, '', ('100.64.0.1', 443))],
+    [(socket.AF_INET, socket.SOCK_STREAM, 6, '', ('100.100.100.100', 443))],
     [(socket.AF_INET6, socket.SOCK_STREAM, 6, '', ('::1', 443, 0, 0))],
     [(socket.AF_INET6, socket.SOCK_STREAM, 6, '', ('fe80::1', 443, 0, 0))],
     [(socket.AF_INET6, socket.SOCK_STREAM, 6, '', ('ff00::1', 443, 0, 0))],
     [(socket.AF_INET6, socket.SOCK_STREAM, 6, '', ('fc00::1', 443, 0, 0))],
+    [(socket.AF_INET6, socket.SOCK_STREAM, 6, '', ('::ffff:100.64.0.1', 443, 0, 0))],
 ]
 
 

src/tests/helpers/test_urllib.py

@@ -43,6 +43,8 @@ def test_private_ip_blocked():
         requests.get("https://10.0.0.1", timeout=0.1)
     with pytest.raises(HTTPError, match="Request to RFC 6598 address.*"):
         requests.get("https://100.100.100.100", timeout=0.1)
+    with pytest.raises(HTTPError, match="Request to RFC 6598 address.*"):
+        requests.get("https://[::ffff:100.64.0.1]", timeout=0.1)
 
 
 @pytest.mark.django_db
@@ -58,6 +60,7 @@ def test_private_ip_blocked():
     [(AF_INET6, SOCK_STREAM, 6, '', ('fe80::1', 443, 0, 0))],
     [(AF_INET6, SOCK_STREAM, 6, '', ('ff00::1', 443, 0, 0))],
     [(AF_INET6, SOCK_STREAM, 6, '', ('fc00::1', 443, 0, 0))],
+    [(AF_INET6, SOCK_STREAM, 6, "", ("::ffff:100.64.0.1", 443, 0, 0))],
 ])
 def test_dns_resolving_to_local_blocked(res):
     with mock.patch('socket.getaddrinfo') as mock_addr: