Aias00 opened a new pull request, #3367: URL: https://github.com/apache/hertzbeat/pull/3367
Potential fix for [https://github.com/apache/hertzbeat/security/code-scanning/80](https://github.com/apache/hertzbeat/security/code-scanning/80) To fix the SSRF vulnerability, we will validate the constructed `webHookUrl` to ensure it adheres to a trusted domain or base URL. Specifically: 1. Extract the base URL from `alerterProperties.getDingTalkWebhookUrl()` and ensure that the final `webHookUrl` starts with this trusted base URL. 2. Reject or sanitize any `receiver.getAccessToken()` values that could lead to an invalid or malicious URL. 3. Optionally, use a URI builder to construct the URL safely, avoiding direct string concatenation. The changes will be made in the `DingTalkRobotAlertNotifyHandlerImpl` class where the `webHookUrl` is constructed and used. --- _Suggested fixes powered by Copilot Autofix. Review carefully before merging._ -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
