Skip to content

fix(lightning): block SSRF path traversal in LNURL endpoints (BUG-1209)#3862

Open
davidleomay wants to merge 3 commits into
developfrom
fix/lnurl-ssrf-path-traversal
Open

fix(lightning): block SSRF path traversal in LNURL endpoints (BUG-1209)#3862
davidleomay wants to merge 3 commits into
developfrom
fix/lnurl-ssrf-path-traversal

Conversation

@davidleomay

@davidleomay davidleomay commented Jun 10, 2026
edited
Loading

Copy link
Copy Markdown
Member

Summary

  • Validate link IDs in LightningClient with ^[\w-]+$ regex to block path traversal via double-encoded slashes (%252f) in all LNURL forwarding endpoints (lnurlp, lnurlw, lnurld)
  • Add admin endpoint POST /admin/lightning/rotate-webhook-secrets to rotate all LNbits deposit webhook signing secrets (reuses existing DepositService.updateLightningDepositWebhook())
  • Add 11 test cases covering all malicious ID patterns from the reproducer

Context

BUG-1209 (CVSS 9.1): unauthenticated SSRF in GET /v1/lnurlp/:id allowed reading the full LNbits deposit-link inventory (~2100 records) including webhook signing secrets, by double-encoding slashes to traverse to /api/v1/links. Leaked secrets could be replayed against the deposit-confirmation endpoint.

Fixes report recommendations 2 (encoding), 3 (whitelist), and 4 (rotate signatures). Recommendation 1 (rebuild instead of passthrough) deferred as architectural follow-up.

Action items after merge

  • Rotate the LNbits API key in environment config
  • Rotate the LNbits signing keypair (signingPrivKey/signingPubKey) in environment config
  • Call POST /admin/lightning/rotate-webhook-secrets to re-sign all deposit links with the new keypair
  • Check for and remove any pay-in record created by the researcher's test (uniqueId deposit_daf9f78d63497505, ~2026-06-06 19:15 UTC)

Test plan

  • Existing lnurl-forward tests pass (4 tests)
  • New path traversal tests pass (11 tests)
  • CI: lint, format-check, test suite, CodeQL, review all green
  • Verify valid LNbits IDs (ABC123) and payment link IDs (pl_xxx, plp_xxx) still work in staging
  • Verify %252f-based traversal returns 400 instead of proxying to LNbits
  • Test webhook secret rotation endpoint in staging

@davidleomay
fix(lightning): block path traversal in LNURL forwarding endpoints (B…
02e83f7 
…UG-1209)

Validate link IDs in LightningClient to reject path traversal via
double-encoded slashes. Add admin endpoint to rotate webhook secrets.
@TaprootFreak TaprootFreak mentioned this pull request Jun 11, 2026
Merged
@TaprootFreak
fix(lightning): restore CA-validated https agent for LNbits requests (#…
8250788 
…3869)

The Agent reuse refactoring dropped the CA-validated httpsAgent from
httpLnBitsConfig, so LNbits requests are verified against system CAs
only. In production LNbits serves the self-signed LND certificate,
which makes every LNbits call fail TLS verification. Reuse one shared
CA-validated agent for both LND and LNbits requests.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@TaprootFreak TaprootFreak Awaiting requested review from TaprootFreak TaprootFreak is a code owner

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@davidleomay @TaprootFreak