Aias00 opened a new pull request, #3370: URL: https://github.com/apache/hertzbeat/pull/3370
Potential fix for [https://github.com/apache/hertzbeat/security/code-scanning/50](https://github.com/apache/hertzbeat/security/code-scanning/50) To fix the SSRF vulnerability, we need to validate the user-provided `metrics` input against a whitelist of allowed values. This ensures that only predefined, trusted metric names can be used in the query. The validation should occur as early as possible, ideally in the `MetricsDataController` class, before the data flows further into the application. Steps to implement the fix: 1. Define a whitelist of allowed metric names in the `MetricsDataController` class or a configuration file. 2. Validate the `metricFull` input against this whitelist in the `getMetricHistoryData` method of `MetricsDataController`. 3. If the input is invalid, throw an exception or return an error response. 4. Ensure that the validated input is used throughout the data flow. --- _Suggested fixes powered by Copilot Autofix. Review carefully before merging._ -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
