GitHub Actions
c9d9c52657
fix(security): eliminate SSRF vulnerability with comprehensive test coverage (CWE-918)
Resolves Critical severity CodeQL finding in url_testing.go by implementing
connection-time IP validation via custom DialContext. Added comprehensive
test coverage for all SSRF protection mechanisms across the codebase.
Technical changes:
- Created ssrfSafeDialer() with atomic DNS resolution and IP validation
- Refactored TestURLConnectivity() to use secure http.Transport
- Added scheme validation (http/https only)
- Prevents access to 13+ blocked CIDR ranges
Test coverage improvements:
- Backend: 85.1% → 86.5% (+1.4%)
- Patch coverage: 70% → 86.5% (+16.5%)
- Added 38 new test cases across 7 functions
- docker_service.go: 0% → 85.2%
- update_service.go: 26% → 95.2%
- crowdsec/registration.go: 18% → 92.3%
Security impact:
- Prevents SSRF attacks (CWE-918)
- Blocks DNS rebinding
- Protects cloud metadata endpoints
- Validates all URL inputs with comprehensive tests
Testing:
- All 1172+ tests passing
- govulncheck: zero vulnerabilities
- Trivy: zero issues
- Pre-commit: passing
Refs: #450
2025-12-23 17:42:21 +00:00
..
2025-12-23 16:32:19 +00:00
2025-12-23 15:09:22 +00:00
2025-12-23 15:09:22 +00:00
2025-12-23 17:42:21 +00:00
2025-12-23 15:09:22 +00:00
2025-12-21 04:08:42 +00:00
2025-12-21 04:08:42 +00:00
2025-12-20 20:37:16 +00:00
2025-12-23 15:09:22 +00:00
2025-12-14 00:11:06 +00:00
2025-12-14 00:11:06 +00:00
2025-12-14 00:11:06 +00:00
2025-12-21 04:08:42 +00:00
2025-12-23 01:59:21 +00:00
2025-12-21 04:08:42 +00:00
2025-12-21 04:08:42 +00:00
2025-12-21 04:08:42 +00:00
2025-12-23 03:28:45 +00:00
2025-12-23 01:59:21 +00:00
2025-12-21 04:08:42 +00:00
2025-12-21 04:08:42 +00:00
2025-12-21 04:08:42 +00:00
2025-12-21 04:08:42 +00:00
2025-12-21 04:08:42 +00:00
2025-12-23 01:59:21 +00:00
2025-12-21 04:08:42 +00:00
2025-12-23 01:23:54 -05:00
2025-12-23 06:52:19 +00:00