Skip to content

Add validate url check while reading thread intel feed (#1660)#1668

Open
nishtham-amazon wants to merge 1 commit intoopensearch-project:2.18from
nishtham-amazon:backport-1660-to-2.18
Open

Add validate url check while reading thread intel feed (#1660)#1668
nishtham-amazon wants to merge 1 commit intoopensearch-project:2.18from
nishtham-amazon:backport-1660-to-2.18

Conversation

@nishtham-amazon
Copy link
Copy Markdown
Contributor

@nishtham-amazon nishtham-amazon commented Mar 27, 2026

Description

Add URL validation to threat intel URL_DOWNLOAD source type to prevent SSRF and local file read vulnerabilities.

The ThreatIntelFeedParser.getThreatIntelFeedReaderCSV() methods pass user-supplied URLs directly to url.openConnection() inside AccessController.doPrivileged() without any validation. This allows users with the
security_analytics_full_access role to:

  1. Read local files via file:// protocol (e.g., /etc/passwd, environment variables, deployment details)
  2. Bypass RBAC via SSRF to http://127.0.0.1:9200, enabling reads of all indices including .opendistro_security (admin password hashes) and .plugins-ml-config (ML Commons encryption key)

This change adds a validateUrl() method in ThreatIntelFeedParser that enforces:

  • Protocol allowlist: Only http and https are permitted. Blocks file://, jar://, ftp://, etc.
  • Host blocklist: Blocks loopback (127.0.0.1), link-local (169.254.x.x — including EC2 IMDS), site-local/private, and any-local addresses via DNS resolution before connection.

Validation is applied in three locations:

  • ThreatIntelFeedParser.getThreatIntelFeedReaderCSV(URL url) — the URL_DOWNLOAD fetch path
  • ThreatIntelFeedParser.getThreatIntelFeedReaderCSV(TIFMetadata tifMetadata) — the built-in feed updater path (defense in depth)
  • UrlDownloadSource.parse() — early rejection at config creation/update time

Related Issues

Resolves #[Issue number to be closed when this PR is merged]

Check List

  • New functionality includes testing.
  • New functionality has been documented.
  • API changes companion pull request created.
  • Commits are signed per the DCO using --signoff.
  • Public documentation issue/PR created.

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.
For more information on following Developer Certificate of Origin and signing off your commits, please check [here](https://github.com/opensearch-project/security-analytics/blob/main/CONTRIBUTING.md#developer-
certificate-of-origin).

@nishtham-amazon
Add validate url check while reading thread intel feed (opensearch-pr…
d0bf9bd 
…oject#1660)

* Add validate url check while reading thread intel feed

Signed-off-by: nishtham <nishtham@amazon.com>

* Added unit tests for url validation for threat intel feeds

---------

Signed-off-by: nishtham <nishtham@amazon.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@amsiglan amsiglan Awaiting requested review from amsiglan amsiglan is a code owner

@AWSHurneyt AWSHurneyt Awaiting requested review from AWSHurneyt AWSHurneyt is a code owner

@getsaurabh02 getsaurabh02 Awaiting requested review from getsaurabh02 getsaurabh02 is a code owner

@lezzago lezzago Awaiting requested review from lezzago lezzago is a code owner

@praveensameneni praveensameneni Awaiting requested review from praveensameneni praveensameneni is a code owner

@sbcd90 sbcd90 Awaiting requested review from sbcd90 sbcd90 is a code owner

@eirsep eirsep Awaiting requested review from eirsep eirsep is a code owner

@jowg-amazon jowg-amazon Awaiting requested review from jowg-amazon jowg-amazon is a code owner

@engechas engechas Awaiting requested review from engechas engechas is a code owner

@goyamegh goyamegh Awaiting requested review from goyamegh goyamegh is a code owner

@riysaxen-amzn riysaxen-amzn Awaiting requested review from riysaxen-amzn riysaxen-amzn is a code owner

At least 2 approving reviews are required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@nishtham-amazon