SNYK-PYTHON-REPORTLAB-1022145

## Overview [reportlab](https://pypi.org/project/reportlab/) is a Python library for generating PDFs and graphics. Affected versions of this package are vulnerable to Server-side Request Forgery (SSRF) via `img` tags. In order to reduce risk, use `trustedSchemes` & `trustedHosts` (see in Reportlab's documentation), introduced in version 3.5.55. Steps to reproduce by Karan Bamal: 1. Download and install the latest package of reportlab 2. Go to demos -> odyssey -> dodyssey 3. In the text file odyssey.txt that needs to be converted to pdf inject `<img src="http://127.0.0.1:5000" valign="top"/>` 4. Create a nc listener `nc -lp 5000` 5. Run `python3 dodyssey.py` 6. You will get a hit on your nc showing we have successfully proceded to send a server side request 7. `dodyssey.py` will show error since there is no img file on the url, but we are able to do SSRF ## Remediation Upgrade `reportlab` to version 3.5.55 or higher. ## References - [Changelog](https://hg.reportlab.com/hg-public/reportlab/file/f094d273903a/CHANGES.md#l71) - [Reportlab Documentation](https://www.reportlab.com/docs/reportlab-userguide.pdf)