4 Commits

Author	SHA1	Message	Date
GitHub Actions	f64e3feef8	chore: clean .gitignore cache	2026-01-26 19:22:05 +00:00
GitHub Actions	e5f0fec5db	chore: clean .gitignore cache	2026-01-26 19:21:33 +00:00
GitHub Actions	3aaa059a15	fix: authentication issues for certificate endpoints and improve test coverage ... - Updated UsersPage tests to check for specific URL formats instead of regex patterns. - Increased timeout for Go coverage report generation to handle larger repositories. - Cleaned up generated artifacts before running CodeQL analysis to reduce false positives. - Removed outdated QA testing report for authentication fixes on the certificates page. - Added final report confirming successful resolution of authentication issues with certificate endpoints. - Deleted previous test output files to maintain a clean test results directory.	2026-01-03 03:08:43 +00:00
GitHub Actions	745b9e3e97	fix(security): complete SSRF remediation with defense-in-depth (CWE-918) ... Implement three-layer SSRF protection: - Layer 1: URL pre-validation (existing) - Layer 2: network.NewSafeHTTPClient() with connection-time IP validation - Layer 3: Redirect target validation New package: internal/network/safeclient.go - IsPrivateIP(): Blocks RFC 1918, loopback, link-local (169.254.x.x), reserved ranges, IPv6 private - safeDialer(): DNS resolve → validate all IPs → dial validated IP (prevents DNS rebinding/TOCTOU) - NewSafeHTTPClient(): Functional options (WithTimeout, WithAllowLocalhost, WithAllowedDomains, WithMaxRedirects) Updated services: - notification_service.go - security_notification_service.go - update_service.go - crowdsec/registration.go (WithAllowLocalhost for LAPI) - crowdsec/hub_sync.go (WithAllowedDomains for CrowdSec domains) Consolidated duplicate isPrivateIP implementations to use network package. Test coverage: 90.9% for network package CodeQL: 0 SSRF findings (CWE-918 mitigated) Closes #450	2025-12-24 17:34:56 +00:00