[ISSUE #4564] add url validation to avoid SSRF #4572
Conversation
add url validation to avoid SSRF
![github-actions[bot]](https://avatars.githubusercontent.com/in/15368?s=60&v=4){kind=small}
There was a problem hiding this comment.
Welcome to the Apache EventMesh community!!
This is your first PR in our project. We're very excited to have you onboard contributing. Your contributions are greatly appreciated!
Please make sure that the changes are covered by tests.
We will be here shortly.
Let us know if you need any help!
Want to get closer to the community?
| WeChat Assistant | WeChat Public Account | Slack |
|---|---|---|
 |
 |
Join Slack Chat |
Mailing Lists:
| Name | Description | Subscribe | Unsubscribe | Archive |
|---|---|---|---|---|
| Users | User support and questions mailing list | Subscribe | Unsubscribe | Mail Archives |
| Development | Development related discussions | Subscribe | Unsubscribe | Mail Archives |
| Commits | All commits to repositories | Subscribe | Unsubscribe | Mail Archives |
| Issues | Issues or PRs comments and reviews | Subscribe | Unsubscribe | Mail Archives |
Codecov ReportAll modified and coverable lines are covered by tests ✅
Additional details and impacted files@@ Coverage Diff @@
## master #4572 +/- ##
============================================
+ Coverage 16.94% 16.96% +0.01%
- Complexity 1676 1679 +3
============================================
Files 781 781
Lines 29161 29167 +6
Branches 2510 2511 +1
============================================
+ Hits 4941 4947 +6
Misses 23760 23760
Partials 460 460 ☔ View full report in Codecov by Sentry. |
| LogUtils.info(log, "obtain webhook delivery agreement for url: {}", targetUrl); | ||
|
|
||
| if (isInvalidUrl(targetUrl)) { | ||
| LogUtils.info(log, "Target url is invalid url: {}", targetUrl); |
There was a problem hiding this comment.
LogUtils.error() may be better.
There was a problem hiding this comment.
LogUtils.error()may be better.
should i create a new PR or update this PR to correct log level? @pandaapo
There was a problem hiding this comment.
You only need to make modifications on this branch and then push again.
mxsm
left a comment
mxsm
left a comment
There was a problem hiding this comment.
@wizardzhang Welcome to EventMesh community. thanks for your contribution!
* [ISSUE apache#4564] add url validation to avoid SSRF * [ISSUE apache#4564] correct log level
3 participants
Fixes #4564.
Motivation
validating the input url to avoid SSRF attacks
Modifications
org.apache.eventmesh.runtime.util.WebhookUtil#obtainDeliveryAgreement
in this method i added targetUrl validation, to do so i added commons-validator:commons-validator lib
and use org.apache.commons.validator.routines.UrlValidator#isValid method,
and add new test case org.apache.eventmesh.runtime.util.WebhookUtilTest#testObtainDeliveryAgreementWithInvalidTargetUrl
and update the test case
org.apache.eventmesh.runtime.util.WebhookUtilTest#testObtainDeliveryAgreement
Documentation