Skip to content

fix(security): block SSRF in getRepoData requestUrl handling#256

Open
asif786ka wants to merge 1 commit into
idosal:mainfrom
asif786ka:fix/asif786ka-ssrf
Open

fix(security): block SSRF in getRepoData requestUrl handling#256
asif786ka wants to merge 1 commit into
idosal:mainfrom
asif786ka:fix/asif786ka-ssrf

Conversation

@asif786ka

Copy link
Copy Markdown

Summary

  • Add host allowlist and private-IP blocking for absolute requestUrl values
  • Add regression test for internal-service SSRF attempt

Fixes #249

Test plan

  • repoData.test.ts SSRF case rejects untrusted host

Made with Cursor

@asif786ka
asif786ka force-pushed the fix/asif786ka-ssrf branch 2 times, most recently from c44f056 to d5822af Compare July 7, 2026 16:21
Validate absolute requestUrl hosts against an allowlist and reject
private/internal addresses unless running on localhost.

Fixes idosal#249
@asif786ka
asif786ka force-pushed the fix/asif786ka-ssrf branch from d5822af to aaff9d9 Compare July 7, 2026 16:23
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

Security: Critical SSRF Vulnerability in getRepoData

1 participant