GitHub Actions
|
5164ea82d1
|
fix(security): eliminate SSRF vulnerability in URL connectivity testing (CWE-918)
Resolves Critical severity CodeQL finding in url_testing.go by implementing
connection-time IP validation via custom DialContext. This eliminates TOCTOU
vulnerabilities and prevents DNS rebinding attacks.
Technical changes:
- Created ssrfSafeDialer() with atomic DNS resolution and IP validation
- Refactored TestURLConnectivity() to use secure http.Transport
- Added scheme validation (http/https only)
- Prevents access to 13+ blocked CIDR ranges (RFC 1918, cloud metadata, etc.)
Security impact:
- Prevents SSRF attacks (CWE-918)
- Blocks DNS rebinding
- Protects cloud metadata endpoints
- Validates redirect targets
Testing:
- All unit tests pass (88.0% coverage in utils package)
- Pre-commit hooks: passed
- Security scans: zero vulnerabilities
- CodeQL: Critical finding resolved
Refs: #450
|
2025-12-23 17:10:12 +00:00 |
|