Files

GitHub Actions 745b9e3e97 fix(security): complete SSRF remediation with defense-in-depth (CWE-918)

Implement three-layer SSRF protection:
- Layer 1: URL pre-validation (existing)
- Layer 2: network.NewSafeHTTPClient() with connection-time IP validation
- Layer 3: Redirect target validation

New package: internal/network/safeclient.go
- IsPrivateIP(): Blocks RFC 1918, loopback, link-local (169.254.x.x),
  reserved ranges, IPv6 private
- safeDialer(): DNS resolve → validate all IPs → dial validated IP
  (prevents DNS rebinding/TOCTOU)
- NewSafeHTTPClient(): Functional options (WithTimeout, WithAllowLocalhost,
  WithAllowedDomains, WithMaxRedirects)

Updated services:
- notification_service.go
- security_notification_service.go
- update_service.go
- crowdsec/registration.go (WithAllowLocalhost for LAPI)
- crowdsec/hub_sync.go (WithAllowedDomains for CrowdSec domains)

Consolidated duplicate isPrivateIP implementations to use network package.

Test coverage: 90.9% for network package
CodeQL: 0 SSRF findings (CWE-918 mitigated)

Closes #450

2025-12-24 17:34:56 +00:00

created

chore: move processed issue files to created/ [skip ci]

2025-12-24 14:36:11 +00:00

_TEMPLATE.md

feat: add docs-to-issues workflow for automated GitHub issue creation

2025-12-13 02:08:57 +00:00

pre-existing-test-failures.md

fix(security): resolve CrowdSec startup and permission issues

2025-12-23 01:59:21 +00:00

README.md

feat: add docs-to-issues workflow for automated GitHub issue creation

2025-12-13 02:08:57 +00:00

ssrf_manual_test_plan.md

fix(security): complete SSRF remediation with defense-in-depth (CWE-918)

2025-12-24 17:34:56 +00:00

README.md

docs/issues - Issue Specification Files

This directory contains markdown files that are automatically converted to GitHub Issues when merged to main or development.

How It Works

Create a markdown file in this directory using the template format
Add YAML frontmatter with issue metadata (title, labels, priority, etc.)
Merge to main/development - the docs-to-issues.yml workflow runs
GitHub Issue is created with your specified metadata
File is moved to docs/issues/created/ to prevent duplicates

Quick Start

Copy _TEMPLATE.md and fill in your issue details:

---
title: "My New Issue"
labels:
  - feature
  - backend
priority: medium
---

# My New Issue

Description of the issue...

Frontmatter Fields

Field	Required	Description
`title`	Yes*	Issue title (*or uses first H1 as fallback)
`labels`	No	Array of labels to apply
`priority`	No	`critical`, `high`, `medium`, `low`
`milestone`	No	Milestone name
`assignees`	No	Array of GitHub usernames
`parent_issue`	No	Parent issue number for linking
`create_sub_issues`	No	If `true`, each `## Section` becomes a sub-issue

Sub-Issues

To create multiple related issues from one file, set create_sub_issues: true:

---
title: "Main Testing Issue"
labels: [testing]
create_sub_issues: true
---

# Main Testing Issue

Overview content for the parent issue.

## Unit Testing

This section becomes a separate issue.

## Integration Testing

This section becomes another separate issue.

Manual Trigger

You can manually run the workflow with:

# Dry run (no issues created)
gh workflow run docs-to-issues.yml -f dry_run=true

# Process specific file
gh workflow run docs-to-issues.yml -f file_path=docs/issues/my-issue.md

Labels

Labels are automatically created if they don't exist. Common labels:

Priority: critical, high, medium, low
Type: feature, bug, enhancement, testing, documentation
Component: backend, frontend, ui, security, caddy, database