Improve URL validation security and CloudFlare compatibility #22406
+301
−1
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
|
Thank you for opening this PR! We appreciate you! For all pull requests coming from third-party forks we will need to A Forem Team member will review this contribution and get back to |
- Fix CloudFlare Bot Fight Mode issues by improving User-Agent format - Add SSRF protection to prevent requests to private/internal IPs - Add HTTP timeout settings to prevent hanging requests - Fix status post URL processing to match production behavior - Extract URLs from status post titles automatically Changes: - UnifiedEmbed::Tag: Better User-Agent, SSRF protection, timeouts - Article: Auto-extract URLs from status post titles for processing
abe9d92 to
43547ef
Compare
…verage Security Improvements: - Enhanced DNS resolution in private_ip? method using Addrinfo.getaddrinfo() - Improved error handling for hostname resolution failures - Maintained CloudFlare Bot Fight Mode compatibility - Added proper HTTP timeouts (10s open, 15s read) - CloudFlare-friendly User-Agent format (ForemLinkValidator/1.0) Test Coverage: - Added 144 lines of comprehensive RSpec tests for SSRF protection - Added 48 lines of tests for Article URL extraction functionality - Tests cover private IP detection, DNS resolution scenarios, timeout verification - Validates User-Agent format and bypass logic for trusted domains Features: - Robust protection against SSRF attacks while maintaining embed functionality - Enhanced status post URL extraction with punctuation handling - Comprehensive test suite ensuring security and functionality work together
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
What type of PR is this? (check all applicable)
Description
Related Tickets & Documents
QA Instructions, Screenshots, Recordings
Please replace this line with instructions on how to test your changes, a note
on the devices and browsers this has been tested on, as well as any relevant
images for UI changes.
UI accessibility checklist
If your PR includes UI changes, please utilize this checklist:
CriticalandSeriousissues?For more info, check out the
Forem Accessibility Docs.
Added/updated tests?
We encourage you to keep the code coverage percentage at 80% and above.
have not been included
[optional] Are there any post deployment tasks we need to perform?
[optional] What gif best describes this PR or how it makes you feel?