Aias00 opened a new pull request, #3372: URL: https://github.com/apache/hertzbeat/pull/3372
Potential fix for [https://github.com/apache/hertzbeat/security/code-scanning/51](https://github.com/apache/hertzbeat/security/code-scanning/51) To fix the SSRF vulnerability: 1. Validate the user-provided `metrics` input against a predefined whitelist of allowed values. This ensures that only safe and expected values are used in the URI construction. 2. If a whitelist is not feasible, restrict the constructed URI to a specific trusted domain or base URL. This can be achieved by validating the final URI before making the request. 3. Update the `getHistoryIntervalMetricData` method in `VictoriaMetricsClusterDataStorage` to include validation logic for `metrics`. --- _Suggested fixes powered by Copilot Autofix. Review carefully before merging._ -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
