Summary
The PHP proxy files (gemini-proxy.php, anthropic-proxy.php, openai-proxy.php) accept a path parameter from query string with minimal sanitization (only ltrim). No URL validation or allowlist prevents requests to unintended endpoints.
Risk Assessment
- Risk Level: Medium
- Likelihood: Low-Medium
- Impact: High — if deployed to production, could be used for SSRF
- Timeline: If deployed without additional security layer
Affected Code
gemini-proxy.php (line 7)
$path = $_GET['path'] ?? '';
$path = ltrim($path, '/');
// ...
$targetUrl = 'https://generativelanguage.googleapis.com/' . $path;
proxy-utils.php (line 60)
Headers are forwarded with a blocked list, but no validation of the target URL itself.
Suggested Fix
- Validate
$path against allowlist: /^v1(beta)?\/models\/[\w.-]+:(generateContent|streamGenerateContent)$/
- Add rate limiting per IP
- Validate path contains only expected characters:
[a-zA-Z0-9/:\-.]
Summary
The PHP proxy files (
gemini-proxy.php,anthropic-proxy.php,openai-proxy.php) accept apathparameter from query string with minimal sanitization (onlyltrim). No URL validation or allowlist prevents requests to unintended endpoints.Risk Assessment
Affected Code
gemini-proxy.php (line 7)
proxy-utils.php (line 60)
Headers are forwarded with a blocked list, but no validation of the target URL itself.
Suggested Fix
$pathagainst allowlist:/^v1(beta)?\/models\/[\w.-]+:(generateContent|streamGenerateContent)$/[a-zA-Z0-9/:\-.]