Aias00 opened a new pull request, #3366: URL: https://github.com/apache/hertzbeat/pull/3366
Potential fix for [https://github.com/apache/hertzbeat/security/code-scanning/82](https://github.com/apache/hertzbeat/security/code-scanning/82) To fix the SSRF vulnerability, we need to validate the `receiver.getAccessToken()` value to ensure it does not allow malicious manipulation of the `webHookUrl`. The best approach is to maintain a whitelist of valid tokens or enforce strict validation rules to ensure the token is in an expected format. Additionally, the base URL (`alerterProperties.getFlyBookWebhookUrl()`) should be verified to ensure it is a trusted URL. Steps to fix: 1. Validate the `receiver.getAccessToken()` value against a whitelist or a strict format (e.g., regex). 2. Ensure the base URL (`alerterProperties.getFlyBookWebhookUrl()`) is a trusted, fixed URL. 3. Construct the `webHookUrl` using a safe method that prevents URL manipulation. --- _Suggested fixes powered by Copilot Autofix. Review carefully before merging._ -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
