GHSA-4vmc-gm8v-m35h

Summary

The default deny-lists used by Gotenberg's downloadFrom feature and webhook feature are bypassable. Because the filter is regex-based and case-sensitive, an unauthenticated attacker can supply URLs such as http://[::ffff:127.0.0.1]:... and reach loopback or private HTTP services that the default deny-list is intended to block. This crosses a real security boundary because an external caller can force the server to make outbound requests to internal-only targets.

Details

The issue originates from the shipped default deny-list regexes and the way those regexes are applied:

• pkg/modules/api/api.go:198-200 defines the default api-download-from-deny-list.
• pkg/modules/webhook/webhook.go:41-43 defines the default webhook-deny-list.
• pkg/gotenberg/filter.go:20-69 evaluates those patterns with regexp2 using case-sensitive matching.

The attacker-controlled URL then reaches outbound request sinks:

• pkg/modules/api/context.go:208-282
  • Reads attacker-supplied downloadFrom.
  • Calls gotenberg.FilterDeadline(...).
  • Issues an outbound GET with retryablehttp.NewRequest(...) and client.Do(...).
• pkg/modules/webhook/middleware.go:99-217
  • Reads Gotenberg-Webhook-Url and Gotenberg-Webhook-Events-Url.
  • Calls gotenberg.FilterDeadline(...).
  • Constructs a client for outbound delivery.
• pkg/modules/webhook/client.go:39-152
  • Sends the success or error webhook request.
• pkg/modules/webhook/client.go:155-216
  • Sends the webhook event request.

Why the bypass works:

1. The default deny-list only blocks lowercase http:// and https:// prefixes.
2. The filtering logic performs case-sensitive regex matching on the raw user input.
3. Go's HTTP stack accepts multiple textual representations of loopback/private addresses that are not covered by the default regex, including IPv4-mapped IPv6 loopback like http://[::ffff:127.0.0.1]:18081/....
4. As a result, a URL can fail the deny-list check but still be...