Merge branch '4.x' of https://github.com/craftcms/cms into 5.x

brandonkelly · brandonkelly · commit 9d9b46a9e40c · 2025-12-30T15:01:13.000-08:00
# Conflicts:
#	CHANGELOG.md
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -15,6 +15,7 @@
 - Fixed a JavaScript error that could occur if two control panel animations were triggered simultaneously.
 - Fixed a bug where it wasn’t possible to copy/paste nested entries within Matrix fields set to the inline-editable blocks view mode, for unpublished owner elements. ([#18185](https://github.com/craftcms/cms/pull/18185))
 - Fixed a bug where custom fields’ checkboxes weren’t getting removed from field layouts’ “Card Attributes” lists when removed from the layout.
+- Fixed an SSRF vulnerability. (GHSA-96pq-hxpw-rgh8)
 
 ## 5.8.21 - 2025-12-04
 
diff --git a/src/gql/resolvers/mutations/Asset.php b/src/gql/resolvers/mutations/Asset.php
@@ -242,12 +242,7 @@ protected function handleUpload(AssetElement $asset, array $fileInformation): bo
         } elseif (!empty($fileInformation['url'])) {
             $url = $fileInformation['url'];
 
-            // make sure the hostname is alphanumeric and not an IP address
-            $hostname = parse_url($url, PHP_URL_HOST);
-            if (
-                !filter_var($hostname, FILTER_VALIDATE_DOMAIN, FILTER_FLAG_HOSTNAME) ||
-                filter_var($hostname, FILTER_VALIDATE_IP)
-            ) {
+            if (!$this->validateHostname($url)) {
                 throw new UserError("$url contains an invalid hostname.");
             }
 
@@ -284,6 +279,46 @@ protected function handleUpload(AssetElement $asset, array $fileInformation): bo
         return true;
     }
 
+    private function validateHostname(string $url): bool
+    {
+        // make sure the hostname is alphanumeric and not an IP address
+        $hostname = parse_url($url, PHP_URL_HOST);
+        if (
+            !filter_var($hostname, FILTER_VALIDATE_DOMAIN, FILTER_FLAG_HOSTNAME) ||
+            filter_var($hostname, FILTER_VALIDATE_IP)
+        ) {
+            return false;
+        }
+
+        // Check against well-known cloud metadata domains/IPs
+        // h/t https://gist.github.com/BuffaloWill/fa96693af67e3a3dd3fb
+        if (in_array($hostname, [
+            'kubernetes.default',
+            'kubernetes.default.svc',
+            'kubernetes.default.svc.cluster.local',
+            'metadata',
+            'metadata.google.internal',
+            'metadata.packet.net',
+        ])) {
+            return false;
+        }
+
+        // make sure the hostname doesn’t resolve to a known cloud metadata IP
+        $ip = gethostbyname($hostname);
+
+        if (in_array($ip, [
+            '169.254.169.254',
+            '169.254.170.2',
+            '169.254.169.254',
+            '100.100.100.200',
+            '192.0.0.192',
+        ])) {
+            return false;
+        }
+
+        return true;
+    }
+
     /**
      * Create the guzzle client.
      *
