4a9e00c226
Resolves TWO Critical CodeQL SSRF findings by implementing four-layer defense-in-depth architecture with connection-time validation and handler-level pre-validation. Phase 1 - url_testing.go: - Created ssrfSafeDialer() with atomic DNS resolution - Eliminates TOCTOU/DNS rebinding vulnerabilities - Validates IPs at connection time (runtime protection layer) Phase 2 - settings_handler.go: - Added security.ValidateExternalURL() pre-validation - Breaks CodeQL taint chain before network requests - Maintains API backward compatibility (200 OK for blocks) Defense-in-depth layers: 1. Admin access control (authorization) 2. Format validation (scheme, paths) 3. SSRF pre-validation (DNS + IP blocking) 4. Runtime re-validation (TOCTOU defense) Attack protections: - DNS rebinding/TOCTOU eliminated - URL parser differentials blocked - Cloud metadata endpoints protected - 13+ private CIDR ranges blocked (RFC 1918, link-local, etc.) Test coverage: - Backend: 85.1% → 86.4% (+1.3%) - Patch: 70% → 86.4% (+16.4%) - 31/31 SSRF test assertions passing - Added 38 new test cases across 10 functions Security validation: - govulncheck: zero vulnerabilities - Pre-commit: passing - All linting: passing Industry compliance: - OWASP SSRF prevention best practices - CWE-918 mitigation (CVSS 9.1) - Defense-in-depth architecture Refs: #450
8.9 KiB
8.9 KiB