Summary
The upload proxy currently accepts target metadata from the client upload form and then performs a server-side fetch. This should be locked down so the proxy cannot be used to send requests to unsafe destinations.
Why this matters
If a self-hosted instance is exposed publicly, this behavior can be abused as a server-side request relay (SSRF-style risk).
Current behavior
- Upload flow can include proxy target metadata in form fields.
- Server route forwards upload using that target URL.
Expected behavior
- Accept only safe upload destinations (strict allowlist, for example HTTPS S3 upload endpoints).
- Reject invalid or unsafe targets with HTTP 400.
- Prefer signed and short-lived proxy metadata instead of trusting raw client-provided target URLs.
Repro (simple)
- Send a POST request to /api/upload-binary with multipart/form-data.
- Include a crafted non-S3 or internal target value in upload proxy metadata.
- Observe that server-side route attempts to process/forward using client-influenced target metadata.
Suggested fix
- Add strict target validation and reject unsafe hosts/protocols.
- Add signed short-lived proxy token for upload target.
- Keep backward compatibility only if fallback path is also strictly validated.
I can open a PR with a tested fix for this issue.
Summary
The upload proxy currently accepts target metadata from the client upload form and then performs a server-side fetch. This should be locked down so the proxy cannot be used to send requests to unsafe destinations.
Why this matters
If a self-hosted instance is exposed publicly, this behavior can be abused as a server-side request relay (SSRF-style risk).
Current behavior
Expected behavior
Repro (simple)
Suggested fix
I can open a PR with a tested fix for this issue.