fantonangeli commented on PR #3353: URL: https://github.com/apache/incubator-kie-tools/pull/3353#issuecomment-3611269977
CodeQL still show the SSRF warning [here](https://github.com/apache/incubator-kie-tools/security/code-scanning?query=pr%3A3353+tool%3ACodeQL+is%3Aopen+language%3Atypescript), but in the tests we have evidence that the ev var `CORS_PROXY__allowedHosts` is used successfully to validate the target URL. It seems CodeQL is not able to understand the validation which is based on `minimatch` or because he doesn't know that the user who declares `CORS_PROXY__allowedHosts` in the deployment is not the same person which send the `target-url` in the request header. As a solution, I think we can simply dismiss the alert after this PR is merged. Wdyt? -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
