SSRF Vulnerability in ImportTab.lua - importCodeHandle() function

[n0xite]

Check version

• I'm running the latest version of Path of Building and I've verified this by checking the changelog

Check for duplicates

• I've checked for duplicate open and closed issues by using the search function of the issue tracker

What platform are you running Path of Building on?

Windows

How is Path of Building expected to behave?

When a user pastes a URL into the import field, PoB should only make outbound HTTP requests to known, allowlisted build-sharing domains such as Pastebin, pobb.in, Maxroll, etc. URLs that do not belong to these domains should be rejected.

How does Path of Building behave?

PoB makes outbound HTTP requests to arbitrary attacker-controlled host when a crafted URL is pasted into the import field. The allowlist check in importCodeHandle() uses substring pattern matching rather than origin-anchored validation, meaning any URL that contains an allowlisted domain name anywhere is treated as valid. Additionally, the YouTube/Google redirect unwrapping logic allows the bypass to be embedded inside a seemingly legitimate YouTube URL, making social engineering easier.

How to reproduce the issue

1. Start a local HTTP listener on port 8888
2. Paste the following URL into the PoB import field:
   http://127.0.0.1:8888/callback?src=pastebin.com/POC or
   https://youtube.com/redirect?q=http%3A//127.0.0.1%3A8888/callback%3Fsrc%3Dpastebin.com/POC
3. Observe that PoB makes an outbound HTTP request to 127.0.0.1:8888
4. The listener receives the request including the client IP and User-Agent

PoB for PoE1 build code

Screenshots

https://imgur.com/a/8WCNJlF

[Wires77]

Thanks for the report. I put a draft PR here and will merge it when I get to a computer to test it: #9754