2
0
mirror of https://github.com/inventree/InvenTree.git synced 2026-07-04 14:10:52 +00:00

Improve security posture of PDF reporting (#12160)

* Add custom URL fetcher for PDF rendering

* Fix for report helper functions

* Use new fetcher

* Additional unit tests

* Add new setting to control remote URL fetching

* validate URLs against SSRF

* Add global setting to disable URL fetching entirely

* Update docs

* Fix capitalization

* Fix logging backend

* Update CHANGELOG
This commit is contained in:
Oliver
2026-06-14 10:55:51 +10:00
committed by GitHub
parent b294bba66b
commit 2b4f303770
12 changed files with 327 additions and 7 deletions
+32
View File
@@ -230,3 +230,35 @@ And the snippet file `stock_row.html` may be written as follows:
</tr>
{% endraw %}
```
## Security
Report templates are powerful by design — they have access to the full Django template language and to model data across the InvenTree database. For this reason, **template upload is restricted to staff users only**.
### URL Fetching
When WeasyPrint renders a template to PDF it can make outbound requests to load images, stylesheets, and fonts referenced in the HTML. InvenTree restricts this through a custom URL fetcher with the following rules:
| URL Type | Behavior |
|---|---|
| `data:` URIs | Always permitted — self-contained, no network access |
| `file://` | Always blocked — assets and images must be inlined as `data:` URIs before reaching WeasyPrint |
| `http` / `https` | Disabled by default, but can be blocked - see *Remote URL Fetching* below |
| Any other scheme | Always blocked |
HTTP redirects are also disabled: a URL that passes validation cannot redirect to an internal address.
### Remote URL Fetching
The **Report URL Fetching** system setting (`REPORT_FETCH_URLS`) controls whether `http://` and `https://` URLs in templates are permitted. It defaults to **disabled**.
When enabled, URLs are still validated against private, loopback, link-local, and reserved IP ranges before the request is made, preventing templates from being used as a vector for [Server-Side Request Forgery (SSRF)](https://owasp.org/www-community/attacks/Server_Side_Request_Forgery) attacks against internal network services.
!!! warning "Enable with care"
Enabling remote URL fetching allows report templates to trigger outbound HTTP requests from the InvenTree server. Only enable this if your templates genuinely require it, and ensure that templates are reviewed before deployment.
### Asset Files
Asset files uploaded through the admin interface are embedded directly into the rendered PDF as base64 `data:` URIs — they are read via the Django storage API and never loaded through WeasyPrint's URL fetcher. This means assets work correctly regardless of whether remote URL fetching is enabled, and also work with remote storage backends such as S3.
There are various [helper functions](./helpers.md#report-assets) available to assist with embedding assets into templates.
+1 -1
View File
@@ -1,5 +1,5 @@
---
title: Report and LabelGeneration
title: Report and Label Generation
---
## Custom Reports
+1
View File
@@ -144,6 +144,7 @@ Configuration of report generation:
{{ globalsetting("REPORT_ENABLE") }}
{{ globalsetting("REPORT_DEFAULT_PAGE_SIZE") }}
{{ globalsetting("REPORT_DEBUG_MODE") }}
{{ globalsetting("REPORT_FETCH_URLS") }}
{{ globalsetting("REPORT_LOG_ERRORS") }}
### Label Printing