fix(security): complete SSRF remediation with defense-in-depth (CWE-918)
Implement three-layer SSRF protection: - Layer 1: URL pre-validation (existing) - Layer 2: network.NewSafeHTTPClient() with connection-time IP validation - Layer 3: Redirect target validation New package: internal/network/safeclient.go - IsPrivateIP(): Blocks RFC 1918, loopback, link-local (169.254.x.x), reserved ranges, IPv6 private - safeDialer(): DNS resolve → validate all IPs → dial validated IP (prevents DNS rebinding/TOCTOU) - NewSafeHTTPClient(): Functional options (WithTimeout, WithAllowLocalhost, WithAllowedDomains, WithMaxRedirects) Updated services: - notification_service.go - security_notification_service.go - update_service.go - crowdsec/registration.go (WithAllowLocalhost for LAPI) - crowdsec/hub_sync.go (WithAllowedDomains for CrowdSec domains) Consolidated duplicate isPrivateIP implementations to use network package. Test coverage: 90.9% for network package CodeQL: 0 SSRF findings (CWE-918 mitigated) Closes #450
This commit is contained in:
GitHub Actions
@@ -244,5 +244,5 @@ This security policy is part of the Charon project, licensed under the MIT Licen
|
||||
|
||||
---
|
||||
|
||||
**Last Updated**: December 23, 2025
|
||||
**Version**: 1.0
|
||||
**Last Updated**: December 24, 2025
|
||||
**Version**: 1.1
|
||||
|
||||
Reference in New Issue
Block a user