Skip to content
This repository was archived by the owner on May 29, 2026. It is now read-only.

fix(security): SSRF guard, DNS-rebinding mitigation, zip-bomb cap — H3, M2, M4, L1#347

Merged
rubenvdlinde merged 1 commit into
developmentfrom
fix/ssrf-import-safety
May 27, 2026
Merged

fix(security): SSRF guard, DNS-rebinding mitigation, zip-bomb cap — H3, M2, M4, L1#347
rubenvdlinde merged 1 commit into
developmentfrom
fix/ssrf-import-safety

Conversation

@rubenvdlinde

Copy link
Copy Markdown
Contributor

Summary

Test plan

  • Feed URL http://169.254.169.254/... rejected with SSRF guard failure reason
  • Feed URL http://127.0.0.1/... rejected
  • Valid HTTPS public feed URL proceeds normally
  • Calendar ICS URL with private IP: validation fails at both validate time and fetch time
  • Confluence import with large HTML entries (>25 MB) skips those entries without crashing
  • RSS feed with XML entities does not expand them

🤖 Generated with Claude Code

…3, M2, M4, L1

H3 (#326): FeedRefreshService::isPrivateIpGuarded() enforces HTTPS-only
and rejects hostnames that resolve to private/reserved IP ranges
(FILTER_FLAG_NO_PRIV_RANGE | FILTER_FLAG_NO_RES_RANGE), mirroring the
existing CalendarWidgetService::validateUrl guard. Called from
refreshFeed() before the HTTP request.

M2 (#330): CalendarWidgetService::fetchIcsBody now calls validateUrl()
immediately before the Guzzle get() to reduce the DNS-rebinding TOCTOU
window. Full CURLOPT_RESOLVE pinning is noted as the next step.

M4 (#332): ArchiveParser::collectEntries() checks statIndex('size')
before getFromIndex() — entries > 25 MB are skipped; total HTML bytes
are tracked and iteration halts at 100 MB (zip-bomb guard).

L1 (#337): simplexml_load_string now passes LIBXML_NOENT in addition to
LIBXML_NOCDATA | LIBXML_NONET, explicitly disabling entity substitution
for defence-in-depth on older libxml builds.
@rubenvdlinde rubenvdlinde merged commit a41fe7d into development May 27, 2026
@rubenvdlinde rubenvdlinde deleted the fix/ssrf-import-safety branch May 27, 2026 17:20
This was referenced May 27, 2026
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant