GitHub Actions
|
4a9e00c226
|
fix(security): complete SSRF remediation with defense-in-depth (CWE-918)
Resolves TWO Critical CodeQL SSRF findings by implementing four-layer
defense-in-depth architecture with connection-time validation and
handler-level pre-validation.
Phase 1 - url_testing.go:
- Created ssrfSafeDialer() with atomic DNS resolution
- Eliminates TOCTOU/DNS rebinding vulnerabilities
- Validates IPs at connection time (runtime protection layer)
Phase 2 - settings_handler.go:
- Added security.ValidateExternalURL() pre-validation
- Breaks CodeQL taint chain before network requests
- Maintains API backward compatibility (200 OK for blocks)
Defense-in-depth layers:
1. Admin access control (authorization)
2. Format validation (scheme, paths)
3. SSRF pre-validation (DNS + IP blocking)
4. Runtime re-validation (TOCTOU defense)
Attack protections:
- DNS rebinding/TOCTOU eliminated
- URL parser differentials blocked
- Cloud metadata endpoints protected
- 13+ private CIDR ranges blocked (RFC 1918, link-local, etc.)
Test coverage:
- Backend: 85.1% → 86.4% (+1.3%)
- Patch: 70% → 86.4% (+16.4%)
- 31/31 SSRF test assertions passing
- Added 38 new test cases across 10 functions
Security validation:
- govulncheck: zero vulnerabilities
- Pre-commit: passing
- All linting: passing
Industry compliance:
- OWASP SSRF prevention best practices
- CWE-918 mitigation (CVSS 9.1)
- Defense-in-depth architecture
Refs: #450
|
2025-12-23 20:52:01 +00:00 |
|