## Critical Vulnerability Information ### HTTP Redirects and Timeouts - Saleor disables outgoing HTTP redirects by default and enforces strict timeout values (typically <20s). - This design aims to prevent potential DDoS attacks initiated by internal personnel. - Without such measures, a malicious employee could create infinite redirect loops to malicious endpoints, exhausting server resources. - Timeout settings cannot be overridden dynamically, but can be modified in the `settings.py` file. ### IP Address Filtering (SSRF Protection) - Saleor blocks all outbound traffic to private and loopback IP addresses by default. - This prevents malicious employees from accessing internal resources, which could lead to unauthorized access to resources deployed within your internal network, or even gaining a foothold (e.g., through lateral movement to gain additional privileges). - IP address filtering is enabled by default and can be controlled via the environment variable `HTTP_IP_FILTER_ENABLED`. - By default, outbound traffic to loopback addresses is disallowed, and this behavior can be controlled via the environment variable `HTTP_IP_FILTER_ALLOW_LOOPBACK_IPS`. - Currently, only "block-all" or "allow-all" modes are supported. ### Restricted File Uploads - Saleor restricts file types that can be uploaded by default, preventing employees from uploading suspicious files such as .html, .svg, or .exe. - Additional allowed MIME types can be specified via the `UPLOAD_ADDITIONAL_ALLOWED_MIME_TYPES` environment variable. ### EditorJS & HTML Cleaning - Saleor accepts HTML in rich text fields but sanitizes untrusted HTML input using `nh3` and `Ammonia` to prevent XSS attacks. - Cleaners can be configured via environment variables, such as `EDITOR_JS_ALLOWED_ATTRIBUTES`, `EDITOR_JS_ALLOWED_ATTRIBUTE_VALUES`, `EDITOR_JS_LINK_REL`, etc.