Issue #2496157 by dcam, larowlan, greggles, hughdavenport: SSRF present in aggregator module

README.md

@@ -27,6 +27,20 @@ information, see
 1. Configure settings for all feeds at Administration > Configuration > Web
    services > Aggregator (/admin/config/services/aggregator/settings)
 
+It is recommended to only grant the "Administer news feeds" permission to
+trusted user roles. Aggregator may be used to perform some low-threat security
+attacks against the site host or other servers on the same network. For
+example:
+* Feed entities may be created that perform server-side request forgery (SSRF)
+  requests against the host, permitting scanning of localhost ports.
+* If a host is behind a firewall on a private network, then feeds from sites
+  behind that same firewall may be created, for instance from an intranet RSS
+  feed.  This would expose the feed to the public Internet.
+
+The potential threats are not severe enough to warrant
+limiting the URLs that Aggregator will fetch, but caution should be exercised
+when permitting users to create feeds.
+
 
 ## Maintainers
 

aggregator.permissions.yml

 administer news feeds:
   title: 'Administer news feeds'
+  restrict access: TRUE
 access news feeds:
   title: 'View news feeds'