Add SSRF mitigations using `filter_var` and `CURLOPT_RESOLVE` by Inverle · Pull Request #8400 · FreshRSS/FreshRSS

Inverle · 2026-01-04T22:23:08Z

The idea is to prevent FreshRSS from sending any HTTP requests to internal services, except for the ones that are explicitly allowed in the config.

Based on https://github.com/moodle/moodle/blob/6e82b46a480826d1a85394d9e5087f7d82d1dd52/lib/filelib.php#L3818 and https://github.com/symfony/symfony/blob/8.1/src/Symfony/Component/HttpClient/NoPrivateNetworkHttpClient.php

Alkarex · 2026-01-07T21:14:05Z

Since this will be a breaking change, let's target 1.29.0

Co-authored-by: Alexandre Alapetite <alexandre@alapetite.fr>

Inverle · 2026-02-28T07:40:37Z

Related: simplepie/simplepie#968

Inverle · 2026-03-08T17:05:09Z

Another implementation worth looking at: https://github.com/symfony/symfony/blob/8.1/src/Symfony/Component/HttpClient/NoPrivateNetworkHttpClient.php

Still WIP and needs testing etc.

Inverle · 2026-03-08T17:36:00Z

~~TODO: i need to reimplement the same redirection logic in SimplePie's File.php as in httpGet() right now..~~

never mind, my test script was broken it works fine already

Inverle · 2026-03-08T18:23:18Z

and also POST needs to change to GET on redirect

Alkarex · 2026-03-08T20:22:50Z

 		<exclude name="Squiz.Functions.MultiLineFunctionDeclaration.Indent"/>
 		<exclude name="Squiz.Functions.MultiLineFunctionDeclaration.OneParamPerLine"/>
 		<exclude name="Squiz.WhiteSpace.ScopeClosingBrace.ContentBefore"/>
+		<exclude name="Generic.CodeAnalysis.EmptyStatement.DetectedIf"/>


That does not seem needed, is it?

Not anymore, but I would prefer to keep it

Inverle · 2026-04-02T19:15:57Z

Yes, something like that indeed. But I am wondering whether the IP is enough or whether we should also allow some hostnames. In container setups in particular, the IPs are not known because they are automatic, so ideally we should allow something like rss-bridge.

Is this not covered already by adding rss-bridge:443 and rss-bridge:80 into the allowlist?
or do you mean that the port shouldn't be required?

Alkarex · 2026-04-02T19:35:56Z

It doesn't seem that $errorMessage is being printed anywhere. The lines were added in #7760

Well spotted. It was probably inspired by the following code, but lacking the FreshRSS_Feed_Exception or similar logging...

FreshRSS/app/Models/Feed.php

Lines 591 to 609 in 3fac1bd

    
           if ($simplePieResult === false || $simplePie->get_hash() === '' || !empty($simplePie->error())) { 
        
           	if ($simplePie->status_code() === 429) { 
        
           		$errorMessage = 'HTTP 429 Too Many Requests!'; 
        
           	} elseif ($simplePie->status_code() === 503) { 
        
           		$errorMessage = 'HTTP 503 Service Unavailable!'; 
        
           	} else { 
        
           		$errorMessage = $simplePie->error(); 
        
           		if (empty($errorMessage)) { 
        
           			$errorMessage = ''; 
        
           		} elseif (is_array($errorMessage)) { 
        
           			$errorMessage = json_encode($errorMessage, JSON_UNESCAPED_SLASHES | JSON_UNESCAPED_LINE_TERMINATORS) ?: ''; 
        
           		} 
        
           	} 
        
           	throw new FreshRSS_Feed_Exception( 
        
           		($errorMessage == '' ? 'Unknown error for feed' : $errorMessage) . 
        
           			' [' . $this->url(includeCredentials: false) . ']', 
        
           		$simplePie->status_code() 
        
           	); 
        
           }

Alkarex · 2026-04-02T19:37:30Z

Yes, something like that indeed. But I am wondering whether the IP is enough or whether we should also allow some hostnames. In container setups in particular, the IPs are not known because they are automatic, so ideally we should allow something like rss-bridge.

Is this not covered already by adding rss-bridge:443 and rss-bridge:80 into the allowlist? or do you mean that the port shouldn't be required?

Fine if providing a list of DNS/hostnames works. I mostly checked the IP parts, and I did not realise it was already there

Inverle · 2026-04-02T21:13:36Z

I have added the environment variable support and documentation.

Alkarex · 2026-04-08T19:25:11Z

I have made a Docker image of this PR: freshrss/freshrss:8400
Help welcome to test.
@math-GH If you still have a Windows setup, a quick test of this PR would be appreciated

Alkarex · 2026-04-08T21:11:32Z

Testing in Docker (Debian image) on an Ubuntu server:

I observe a few feeds apparently failing to follow 302 redirects, which seems to be reproducible:

Retrieved unsupported status code "302" [https://www.technologyreview.com/stories.rss] 
Retrieved unsupported status code "302" [http://www.luc-damas.fr/hop/feed/]

I also see several DNS resolution bugs when refreshing by cron (seems better manually, but would need more tests):

Failed to resolve domain: https://feeds.feedburner.com/hackaday/LgoM [https://feeds.feedburner.com/hackaday/LgoM] 
Failed to resolve domain: https://www.lemonde.fr/les-decodeurs/rss_full.xml [https://www.lemonde.fr/les-decodeurs/rss_full.xml]
Failed to resolve domain: https://www.dr.dk/nyheder/service/feeds/udland [https://www.dr.dk/nyheder/service/feeds/udland] 
Failed to resolve domain: https://github.com/Alkarex.atom [https://github.com/Alkarex.atom]
Failed to resolve domain: https://blogs.windows.com/msedgedev/feed/ [https://blogs.windows.com/msedgedev/feed/] 
Failed to resolve domain: https://www.60millions-mag.com/rss.xml [https://www.60millions-mag.com/rss.xml]

All those domains are working fine when reverting to edge branch.

Frenzie · 2026-04-09T06:32:10Z

The CNAME points to another domain. Maybe that's related? Though it doesn't seem to be an immediate problem.

$ php -r '$h="feeds.feedburner.com"; $r=@dns_get_record($h, DNS_A+DNS_AAAA); var_dump($r); var_dump($r===false);'
array(2) {
  [0]=>
  array(5) {
    ["host"]=>
    string(17) "www4.l.google.com"
    ["class"]=>
    string(2) "IN"
    ["ttl"]=>
    int(300)
    ["type"]=>
    string(1) "A"
    ["ip"]=>
    string(14) "64.233.184.118"
  }
  [1]=>
  array(5) {
    ["host"]=>
    string(17) "www4.l.google.com"
    ["class"]=>
    string(2) "IN"
    ["ttl"]=>
    int(300)
    ["type"]=>
    string(4) "AAAA"
    ["ipv6"]=>
    string(22) "2a00:1450:400c:c0b::76"
  }
}
bool(false)

$ host -a feeds.feedburner.com
Trying "feeds.feedburner.com"
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 12873
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;feeds.feedburner.com.          IN      ANY

;; ANSWER SECTION:
feeds.feedburner.com.   256     IN      CNAME   www4.l.google.com.

Received 66 bytes from 127.0.0.1#53 in 0 ms

Except for blogs.windows.com, which does its own special thing:

$ host -a blogs.windows.com
Trying "blogs.windows.com"
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 33789
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;blogs.windows.com.             IN      ANY

;; ANSWER SECTION:
blogs.windows.com.      300     IN      HINFO   "RFC8482" ""

Received 56 bytes from 127.0.0.1#53 in 68 ms

Alkarex · 2026-04-19T09:26:07Z

@Inverle Are you able to reproduce the issues on your side?

Inverle · 2026-04-20T17:44:04Z

@Alkarex I may have fixed the issues with a9c17ec, please retest (at least the 302 ones)

Add SSRF mitigations using filter_var and CURLOPT_RESOLVE

bae7e7e

Inverle added this to the 1.28.1 milestone Jan 4, 2026

Inverle added the Security 🛡️ label Jan 4, 2026

Inverle commented Jan 4, 2026

View reviewed changes

Comment thread app/Utils/httpUtil.php Outdated

Inverle commented Jan 4, 2026

View reviewed changes

Comment thread app/Utils/httpUtil.php

Alkarex modified the milestones: 1.28.1, 1.29.0 Jan 7, 2026

Inverle added 3 commits January 10, 2026 11:39

Add allowlist setting in Web UI

31b9704

Merge branch 'edge' into ssrf-blocklist

a338e2f

make readme

6098fd2

Inverle commented Jan 10, 2026

View reviewed changes

Comment thread app/Utils/httpUtil.php

Alkarex reviewed Jan 10, 2026

View reviewed changes

Comment thread app/i18n/fr/admin.php Outdated

Inverle and others added 2 commits January 10, 2026 18:38

Update app/i18n/fr/admin.php

5461e7c

Co-authored-by: Alexandre Alapetite <alexandre@alapetite.fr>

make readme again

62e8061

Inverle added 3 commits February 28, 2026 08:58

Merge branch 'edge' into ssrf-blocklist

273a83d

Merge branch 'edge' into ssrf-blocklist

345035b

make readme

f95e7d2

Inverle added 2 commits March 8, 2026 18:18

Further work

de9a54f

Still WIP and needs testing etc.

Readd previous if check for domain combination allowlist

f1c3ee8

Inverle added 2 commits March 8, 2026 19:49

Turn POST to GET after redirect

50d10d4

Improve

c3a5aab

Inverle marked this pull request as ready for review March 8, 2026 19:20

Inverle requested review from Alkarex and Frenzie March 8, 2026 19:35

Alkarex reviewed Mar 8, 2026

View reviewed changes

Inverle added 4 commits April 2, 2026 22:50

Add documentation and environment variable support

2127373

make readme

429b093

Fix wrong behavior in case of IP

192e154

Fix duplicate selector in CSS

a0e20dd

Alkarex added 3 commits April 3, 2026 01:17

Minor type check change

3c57123

i18n fr, en

04ef82e

Minor type check change

8dddcae

Alkarex reviewed Apr 2, 2026

View reviewed changes

Comment thread app/views/configure/system.phtml

Inverle commented Apr 2, 2026

View reviewed changes

Comment thread app/i18n/fr/admin.php Outdated

Alkarex reviewed Apr 2, 2026

View reviewed changes

Comment thread app/i18n/fr/admin.php Outdated

Alkarex and others added 4 commits April 3, 2026 01:39

Fix whitespace i18n fr

493b1df

Merge branch 'edge' into ssrf-blocklist

38854e6

Merge branch 'edge' into ssrf-blocklist

9f05c06

make fix-all

d6b590f

Merge branch 'edge' into ssrf-blocklist

1a2ffca

Inverle added 4 commits April 20, 2026 19:25

Fix $ips_ok not being returned after domain records were cached

a9c17ec

Merge branch 'edge' into ssrf-blocklist

9d35e7a

make readme

99756d1

PHPStan fix

064872b

Inverle added 2 commits April 22, 2026 20:04

Merge branch 'edge' into ssrf-blocklist

dcd4156

make readme

6fa65c2

Uh oh!

Conversation

Inverle commented Jan 4, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Alkarex commented Jan 7, 2026

Uh oh!

Uh oh!

Uh oh!

Inverle commented Feb 28, 2026

Uh oh!

Inverle commented Mar 8, 2026

Uh oh!

Inverle commented Mar 8, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

Inverle commented Mar 8, 2026

Uh oh!

Alkarex Mar 8, 2026

Choose a reason for hiding this comment

Uh oh!

Inverle Mar 9, 2026

Choose a reason for hiding this comment

Uh oh!

Inverle commented Apr 2, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

Alkarex commented Apr 2, 2026

Uh oh!

Alkarex commented Apr 2, 2026

Uh oh!

Inverle commented Apr 2, 2026

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Alkarex commented Apr 8, 2026

Uh oh!

Alkarex commented Apr 8, 2026

Uh oh!

Frenzie commented Apr 9, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

Alkarex commented Apr 19, 2026

Uh oh!

Inverle commented Apr 20, 2026

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

3 participants

Inverle commented Jan 4, 2026 •

edited

Loading

Inverle commented Mar 8, 2026 •

edited

Loading

Inverle commented Apr 2, 2026 •

edited

Loading

Frenzie commented Apr 9, 2026 •

edited

Loading