fantonangeli commented on PR #3353:
URL:
https://github.com/apache/incubator-kie-tools/pull/3353#issuecomment-3617652820
Did a bit more investigation on the SSRF alert and tried the following code:
```
const href=info.proxyUrl.href
// still show js/request-forgery error
if (!/^https?:\/\/example\.com\/.*$/.test(href)) {
throw new Error(`The target URL is not allowed. Requested:
${info.proxyUrl.href}`);
}
// fixes js/request-forgery
if (!/^http:\/\/example\.com\/query$/.test(href)) {
throw new Error(`The target URL is not allowed. Requested:
${info.proxyUrl.href}`);
}
// still show js/request-forgery error
if (!href.startsWith("https://example.com/";)) {
throw new Error(`The target URL is not allowed. Requested:
${info.proxyUrl.href}`);
}
const proxyResponse = await fetch(href, {
method: req.method,
headers: outHeaders,
redirect: "manual",
body: req.method !== "GET" && req.method !== "HEAD" ? req :
undefined,
agent: this.getProxyAgent(info),
});
```
With this simplified code I can see that CodeQL will not be happy until
there is a check on the **full** URL and not just the domain. But this is not
possible for us.
So with the domain checks in this PR and dismissing the alert it's enough,
IMO.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
