| Título | LangGenius Dify <= v1.13.3 Server-Side Request Forgery (CWE-918) |
|---|
| Descrição |
# Technical Details
A Blind Server-Side Request Forgery (SSRF) bypass exists within the `ApiBasedToolSchemaParser` component parsing engine in Dify.
When a user submits an API schema string (such as when creating a custom tool), the system auto-detects the format. If the input matches the structure of an OpenAI Plugin JSON manifest, the parser extracts the `url` value from the `api` object and uses a direct `httpx.get()` call to fetch the OpenAPI specification. This direct call completely ignores the application's global `ssrf_proxy` protection layer, allowing an attacker to force the backend to fetch arbitrary internal IPs and ports.
# Vulnerable Code
File: api/core/tools/utils/parser.py
Method: parse_openai_plugin_json_to_tool_bundle
Why: The function parses the user-supplied JSON schema to find `openai_plugin["api"]["url"]`. It then immediately calls `response = httpx.get(api_url, headers={"User-Agent": "Mozilla/5.0 ..."}, timeout=5)`. There is no IP range check, format validation, or proxy redirection applied to the `api_url` variable.
# Reproduction
1. Authenticate to the Dify API to get valid session and CSRF tokens.
2. Intercept or create an API request to `POST /console/api/workspaces/current/tool-provider/api/schema` (this maps to the "Import from Text" Custom Tool dialog).
3. Provide a malicious JSON schema block posing as an OpenAI Plugin manifest, but set `api.url` to an internal service address.
Example payload:
```json
{
"schema_version": "v1", "name_for_human": "Test", "name_for_model": "test",
"description_for_human": "Test", "description_for_model": "Test",
"auth": { "type": "none" },
"api": { "type": "openapi", "url": "http://127.0.0.1:22" }
}
```
4. The server receives the text, identifies it as an OpenAI Plugin JSON, and executes a GET request to the local SSH port or any other internal IP provided.
# Impact
- SSRF Protection Bypass (Since the URL is deeply embedded within a JSON payload parsed on the backend, it easily bypasses simple frontend/input-level URL validators).
- Internal Network Probing (An attacker can determine whether internal network ports are open based on time-based differentials and error exceptions like `ConnectError` or `ToolApiSchemaError`).
- Internal Service Interaction (GET-based execution on sensitive endpoints restricted to localhost/internal networks). |
|---|
| Fonte | ⚠️ https://gist.github.com/chenhouser2025/d7b1c574b0e32eb9169f7046b486e662 |
|---|
| Utilizador | Eric-g (UID 96879) |
|---|
| Submissão | 29/03/2026 06h02 (há 22 dias) |
|---|
| Moderação | 19/04/2026 18h18 (22 days later) |
|---|
| Estado | Aceite |
|---|
| Entrada VulDB | 358253 [langgenius dify até 1.13.3 ApiBasedToolSchemaParser parser.py parse_openai_plugin_json_to_tool_bundle url Elevação de Privilégios] |
|---|
| Pontos | 20 |
|---|