Prevent Server-Side Request Forgery (SSRF) in External Datasources

[ragsav]

Description:
The platform allows users to configure and execute requests to external endpoints (e.g., REST APIs, GraphQL, WebURLs). Currently, these requests are dispatched by the backend without strict validation of the destination IP address. This allows an attacker to configure a datasource that targets internal network resources or cloud metadata services (e.g., http://169.254.169.254/latest/meta-data/).

Impact:
Attackers can bypass external firewalls, scan internal networks, or exfiltrate highly sensitive cloud IAM credentials.

Affected Components:

packages/datasources-logic/src/data-sources/restapi/datasource.js

packages/datasources-logic/src/data-sources/weburl/datasource.js

packages/datasources-logic/src/data-sources/graphql/datasource.js

Suggested Remediation:

Implement an SSRF mitigation library (such as ssrf-req-filter) on the backend's HTTP client (axios/fetch).

Explicitly block requests to localhost, 127.0.0.1, private IP ranges (RFC 1918), and AWS/GCP/Azure metadata IP addresses.