Aias00 opened a new pull request, #3365: URL: https://github.com/apache/hertzbeat/pull/3365
Potential fix for [https://github.com/apache/hertzbeat/security/code-scanning/83](https://github.com/apache/hertzbeat/security/code-scanning/83) To fix the SSRF vulnerability, we need to validate and restrict the `webHookUrl` to ensure it only points to trusted domains or URLs. This can be achieved by: 1. Maintaining a whitelist of allowed base URLs or domains for Gotify webhook URLs. 2. Validating the constructed `webHookUrl` against this whitelist before making the HTTP request. The fix involves: - Adding a method to validate the `webHookUrl` against a predefined list of allowed base URLs. - Modifying the `send` method in `GotifyAlertNotifyHandlerImpl` to validate the `webHookUrl` before using it in the HTTP request. --- _Suggested fixes powered by Copilot Autofix. Review carefully before merging._ -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
