Apache Downloads Redirect Vulnerability Exposes Internal Infrastructure to SSRF Attacks

A critical security flaw in Apache's key-fetching mechanism allows HTTP redirects to be followed without validating the target domain. This vulnerability, present in the `_fetch_keys_from_url` function, uses `allow_redirects=True` with no safeguards. If the primary source, downloads.apache.org, were compromised or subjected to DNS hijacking, the application would blindly follow redirects to any destination. This includes sensitive internal targets like cloud metadata endpoints (169.254.169.254), internal network services, or servers controlled by an attacker. The response data from these unauthorized redirects is then read and stored in the application's database, creating a direct data exfiltration and injection path.

The vulnerability is concretely located in `atr/post/keys.py` (lines 186-210) and the `scripts/keys_import.py` import script (lines 137-140). These code paths are responsible for fetching and storing cryptographic keys. The absence of domain validation transforms a routine data fetch into a potent Server-Side Request Forgery (SSRF) vector. An attacker who can influence the redirect chain—whether through a compromised Apache download server or a malicious intermediary—could force the application to interact with and retrieve data from internal infrastructure that should be inaccessible from the public internet.

This flaw represents a significant escalation risk for any deployment using this code. It could enable attackers to probe internal networks, steal cloud instance metadata containing credentials, or feed malicious data into the application's database. The recommended remediation is to implement strict redirect target validation by creating a domain allowlist (`_ALLOWED_KEYS_DOMAINS`) explicitly permitting only trusted sources like `downloads.apache.org` and `dlcdn.apache.org`, thereby cutting off the unauthorized redirect pathway.