pandaapo opened a new issue, #4564: URL: https://github.com/apache/eventmesh/issues/4564
https://github.com/apache/eventmesh/blob/715423c68ff3df1c3a065080c4ffd6707efe891e/eventmesh-runtime/src/main/java/org/apache/eventmesh/runtime/util/WebhookUtil.java#L52-L58 The static method in this utility class directly uses the URL passed in by the user, which has a hidden security issue. Directly incorporating user input into an HTTP request without validating the input can facilitate server-side request forgery (SSRF) attacks. In these attacks, the server may be tricked into making a request and interacting with an attacker-controlled server. 该工具类的这个静态方法直接使用用户传入的 URL,存在潜在的安全隐患。 直接将用户输入HTTP 请求而不对输入进行验证,可能会导致服务器端请求伪造 (SSRF) 攻击。攻击者可能通过该手段,诱使服务器向攻击者的服务器发请求并进行交互。 Tracking issue for: - [ ] https://github.com/apache/eventmesh/security/code-scanning/131 -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
