Harden API URL Input Validation and SSRF Protections in Shared Middleware#288
Harden API URL Input Validation and SSRF Protections in Shared Middleware#288Chintanpatel24 wants to merge 1 commit into
Conversation
✅ Deploy Preview for web-check ready!Built without sensitive environment variables
To edit notification comments on pull requests, go to your Netlify project configuration. |
There was a problem hiding this comment.
Pull request overview
This PR hardens the shared API middleware’s url query parameter handling by adding stricter URL parsing/validation and introducing initial SSRF guardrails, while also refining platform handler behavior and error status mapping.
Changes:
- Replaced permissive URL normalization with strict parsing/validation (scheme allowlist, no credentials, length/control-char checks).
- Added host blocking for localhost/private/reserved IPs with an opt-out via
API_ALLOW_PRIVATE_TARGETS=true. - Improved handler robustness (Vercel disabled-mode now returns immediately; error mapping uses
error.statusCodeand 408 for timeouts).
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
|
@copilot apply changes based on the comments in this thread |
7 similar comments
|
@copilot apply changes based on the comments in this thread |
|
@copilot apply changes based on the comments in this thread |
|
@copilot apply changes based on the comments in this thread |
|
@copilot apply changes based on the comments in this thread |
|
@copilot apply changes based on the comments in this thread |
|
@copilot apply changes based on the comments in this thread |
|
@copilot apply changes based on the comments in this thread |
This PR strengthens API request handling by hardening URL parsing and host validation in the shared middleware.
Changes included:
Impact :