GitHub Actions
5164ea82d1
fix(security): eliminate SSRF vulnerability in URL connectivity testing (CWE-918)
Resolves Critical severity CodeQL finding in url_testing.go by implementing
connection-time IP validation via custom DialContext. This eliminates TOCTOU
vulnerabilities and prevents DNS rebinding attacks.
Technical changes:
- Created ssrfSafeDialer() with atomic DNS resolution and IP validation
- Refactored TestURLConnectivity() to use secure http.Transport
- Added scheme validation (http/https only)
- Prevents access to 13+ blocked CIDR ranges (RFC 1918, cloud metadata, etc.)
Security impact:
- Prevents SSRF attacks (CWE-918)
- Blocks DNS rebinding
- Protects cloud metadata endpoints
- Validates redirect targets
Testing:
- All unit tests pass (88.0% coverage in utils package)
- Pre-commit hooks: passed
- Security scans: zero vulnerabilities
- CodeQL: Critical finding resolved
Refs: #450
2025-12-23 17:10:12 +00:00
..
2025-12-23 16:32:19 +00:00
2025-12-23 15:09:22 +00:00
2025-12-23 15:09:22 +00:00
2025-12-23 17:10:12 +00:00
2025-12-23 15:09:22 +00:00
2025-12-21 04:08:42 +00:00
2025-12-21 04:08:42 +00:00
2025-12-20 20:37:16 +00:00
2025-12-23 15:09:22 +00:00
2025-12-14 00:11:06 +00:00
2025-12-14 00:11:06 +00:00
2025-12-14 00:11:06 +00:00
2025-12-21 04:08:42 +00:00
2025-12-23 01:59:21 +00:00
2025-12-21 04:08:42 +00:00
2025-12-21 04:08:42 +00:00
2025-12-21 04:08:42 +00:00
2025-12-23 03:28:45 +00:00
2025-12-23 01:59:21 +00:00
2025-12-21 04:08:42 +00:00
2025-12-21 04:08:42 +00:00
2025-12-21 04:08:42 +00:00
2025-12-21 04:08:42 +00:00
2025-12-21 04:08:42 +00:00
2025-12-23 01:59:21 +00:00
2025-12-21 04:08:42 +00:00
2025-12-23 01:23:54 -05:00
2025-12-23 06:52:19 +00:00