Aias00 opened a new pull request, #3364: URL: https://github.com/apache/hertzbeat/pull/3364
Potential fix for [https://github.com/apache/hertzbeat/security/code-scanning/84](https://github.com/apache/hertzbeat/security/code-scanning/84) To fix the SSRF vulnerability, we need to validate and restrict the `webHookUrl` to ensure it only points to trusted domains or URLs. This can be achieved by maintaining a whitelist of allowed base URLs and verifying that the constructed `webHookUrl` matches one of these allowed URLs. Additionally, we should sanitize the `receiver.getServerChanToken()` value to prevent malicious input. **Steps to fix:** 1. Introduce a whitelist of allowed base URLs for the webhook. 2. Validate the constructed `webHookUrl` against the whitelist. 3. Sanitize the `receiver.getServerChanToken()` value to ensure it does not contain malicious characters or patterns. --- _Suggested fixes powered by Copilot Autofix. Review carefully before merging._ -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: notifications-unsubscr...@hertzbeat.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org --------------------------------------------------------------------- To unsubscribe, e-mail: notifications-unsubscr...@hertzbeat.apache.org For additional commands, e-mail: notifications-h...@hertzbeat.apache.org
