penpot

github/penpot

Fork 0

mirror of https://github.com/penpot/penpot.git synced 2026-05-26 18:33:43 +00:00

Commit Graph

Author	SHA1	Message	Date
Andrey Antukh	1b6b367951	✨ Add diagnostic keys to SSRF validation exceptions Add :uri and :scheme/:host keys to exceptions raised by `validate-uri` for better error diagnostics. Also fix a bug where (str url) was used instead of (str uri) in the host-missing exception path. Update the existing blocked-target test to verify the new :uri key, and add three new tests covering scheme rejection, missing host, and DNS failure error paths. All 27 tests pass with 60 assertions and 0 failures. Signed-off-by: Andrey Antukh <niwi@niwi.nz>	2026-05-18 15:57:55 +00:00
Andrey Antukh	279231240d	🐛 Harden outbound HTTP requests against SSRF and restrict assets handlers (#9390 ) * ⬆️ Update root deps * 🐛 Harden outbound HTTP requests against SSRF and restrict unauthenticated asset access - Add app.util.ssrf URL/host validator that resolves hostnames and blocks loopback, link-local, site-local, cloud metadata, and operator-supplied CIDRs - Add app.media.sanitize image EOF truncator that strips trailing data after PNG IEND, JPEG EOI, GIF trailer, and WebP RIFF markers - Disable HTTP client auto-redirect; add req-with-redirects! helper that revalidates every redirect hop against the SSRF blocklist - Wire SSRF validation and EOF sanitization into media/download-image - Validate webhook URLs and OIDC profile picture URLs against SSRF - Restrict /assets/by-id to require authentication for non-public buckets (profile) while keeping public access for file-media-object, file-object-thumbnail, team-font-variant, and file-data-fragment - Add config knobs: ssrf-protection-enabled, ssrf-allowed-hosts, ssrf-extra-blocked-cidrs Signed-off-by: Andrey Antukh <niwi@niwi.nz> --------- Signed-off-by: Andrey Antukh <niwi@niwi.nz>	2026-05-08 09:18:22 +02:00

Author

SHA1

Message

Date

Andrey Antukh

1b6b367951

✨ Add diagnostic keys to SSRF validation exceptions

Add :uri and :scheme/:host keys to exceptions raised by
`validate-uri` for better error diagnostics. Also fix a bug
where (str url) was used instead of (str uri) in the
host-missing exception path.

Update the existing blocked-target test to verify the new :uri
key, and add three new tests covering scheme rejection, missing
host, and DNS failure error paths. All 27 tests pass with 60
assertions and 0 failures.

Signed-off-by: Andrey Antukh <niwi@niwi.nz>

2026-05-18 15:57:55 +00:00

Andrey Antukh

279231240d

🐛 Harden outbound HTTP requests against SSRF and restrict assets handlers (#9390 )

* ⬆️ Update root deps

* 🐛 Harden outbound HTTP requests against SSRF and restrict unauthenticated asset access

- Add app.util.ssrf URL/host validator that resolves hostnames and blocks
  loopback, link-local, site-local, cloud metadata, and operator-supplied CIDRs
- Add app.media.sanitize image EOF truncator that strips trailing data after
  PNG IEND, JPEG EOI, GIF trailer, and WebP RIFF markers
- Disable HTTP client auto-redirect; add req-with-redirects! helper that
  revalidates every redirect hop against the SSRF blocklist
- Wire SSRF validation and EOF sanitization into media/download-image
- Validate webhook URLs and OIDC profile picture URLs against SSRF
- Restrict /assets/by-id to require authentication for non-public buckets
  (profile) while keeping public access for file-media-object,
  file-object-thumbnail, team-font-variant, and file-data-fragment
- Add config knobs: ssrf-protection-enabled, ssrf-allowed-hosts,
  ssrf-extra-blocked-cidrs

Signed-off-by: Andrey Antukh <niwi@niwi.nz>

---------

Signed-off-by: Andrey Antukh <niwi@niwi.nz>

2026-05-08 09:18:22 +02:00

2 Commits