Aias00 opened a new pull request, #3368: URL: https://github.com/apache/hertzbeat/pull/3368
Potential fix for [https://github.com/apache/hertzbeat/security/code-scanning/79](https://github.com/apache/hertzbeat/security/code-scanning/79) To fix the SSRF vulnerability, we need to validate and sanitize the user-provided `receiver.getAccessToken()` before appending it to the base URL. Additionally, we should ensure that the constructed `webHookUrl` is restricted to a trusted domain or prefix. **Steps to fix:** 1. Validate the `receiver.getAccessToken()` to ensure it conforms to expected patterns (e.g., alphanumeric tokens of a specific length). 2. Use a whitelist of allowed base URLs or ensure the final `webHookUrl` starts with the trusted base URL (`alerterProperties.getDingTalkWebhookUrl()`). 3. Reject or sanitize any input that does not meet the validation criteria. --- _Suggested fixes powered by Copilot Autofix. Review carefully before merging._ -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
