Fix SSRF in imsBaseURL and clear ExtraData in integration test

anemonaaa13 · anemonaaa13 · commit 2d6045d6a1ba · 2026-04-22T16:03:35.000+03:00
diff --git a/pkg/detectors/adobeims/adobeims.go b/pkg/detectors/adobeims/adobeims.go
@@ -36,6 +36,10 @@ var (
 
 	// Matches any JWT; Adobe IMS tokens are identified by decoding the payload and checking the "as" field.
 	jwtPat = regexp.MustCompile(`(eyJ[A-Za-z0-9_-]{10,}\.[A-Za-z0-9_-]{10,}\.[A-Za-z0-9_-]{10,})`)
+
+	// imsRegionPat validates the "as" field from the JWT payload before interpolating it into a URL.
+	// Prevents SSRF via crafted values like "ims-x@evil.com/".
+	imsRegionPat = regexp.MustCompile(`^ims-[a-z0-9]+$`)
 )
 
 
@@ -96,6 +100,9 @@ func decodeJWTPayload(token string) (*jwtPayload, error) {
 
 
 func imsBaseURL(as string) string {
+	if !imsRegionPat.MatchString(as) {
+		return "https://ims-na1.adobelogin.com"
+	}
 	return fmt.Sprintf("https://%s.adobelogin.com", as)
 }
 
diff --git a/pkg/detectors/adobeims/adobeims_integration_test.go b/pkg/detectors/adobeims/adobeims_integration_test.go
@@ -96,6 +96,7 @@ func TestAdobeIMS_FromData(t *testing.T) {
 					t.Fatalf("no raw secret present: \n %+v", got[i])
 				}
 				got[i].Raw = nil
+				got[i].ExtraData = nil
 			}
 			if diff := pretty.Compare(got, tt.want); diff != "" {
 				t.Errorf("AdobeIMS.FromData() %s diff: (-got +want)\n%s", tt.name, diff)

Original file line number	Diff line number	Diff line change
`@@ -36,6 +36,10 @@ var (`
`36`	`36`
`37`	`37`	`// Matches any JWT; Adobe IMS tokens are identified by decoding the payload and checking the "as" field.`
`38`	`38`	jwtPat = regexp.MustCompile(`(eyJ[A-Za-z0-9_-]{10,}\.[A-Za-z0-9_-]{10,}\.[A-Za-z0-9_-]{10,})`)
	`39`	`+`
	`40`	`+ // imsRegionPat validates the "as" field from the JWT payload before interpolating it into a URL.`
	`41`	`+ // Prevents SSRF via crafted values like "ims-x@evil.com/".`
	`42`	+ imsRegionPat = regexp.MustCompile(`^ims-[a-z0-9]+$`)
`39`	`43`	`)`
`40`	`44`
`41`	`45`
`@@ -96,6 +100,9 @@ func decodeJWTPayload(token string) (*jwtPayload, error) {`
`96`	`100`
`97`	`101`
`98`	`102`	`func imsBaseURL(as string) string {`
	`103`	`+ if !imsRegionPat.MatchString(as) {`
	`104`	`+ return "https://ims-na1.adobelogin.com"`
	`105`	`+ }`
`99`	`106`	`return fmt.Sprintf("https://%s.adobelogin.com", as)`
`100`	`107`	`}`
`101`	`108`
Original file line number	Diff line number	Diff line change
`@@ -96,6 +96,7 @@ func TestAdobeIMS_FromData(t *testing.T) {`
`96`	`96`	`t.Fatalf("no raw secret present: \n %+v", got[i])`
`97`	`97`	`}`
`98`	`98`	`got[i].Raw = nil`
	`99`	`+ got[i].ExtraData = nil`
`99`	`100`	`}`
`100`	`101`	`if diff := pretty.Compare(got, tt.want); diff != "" {`
`101`	`102`	`t.Errorf("AdobeIMS.FromData() %s diff: (-got +want)\n%s", tt.name, diff)`