Skip to content

Fix SSRF vulnerability in lastrelease function by implementing URL validation#564

Merged
vickyrolanda merged 5 commits into
rilis-devfrom
copilot/fix-532
Oct 22, 2025
Merged

Fix SSRF vulnerability in lastrelease function by implementing URL validation#564
vickyrolanda merged 5 commits into
rilis-devfrom
copilot/fix-532

Conversation

Copy link
Copy Markdown
Contributor

Copilot AI commented Sep 17, 2025
edited
Loading

Summary

This PR fixes a critical Server-Side Request Forgery (SSRF) vulnerability in the lastrelease() helper function that could allow attackers to make unauthorized requests to internal services or leak credentials.

Vulnerability Details

The lastrelease() function in app/Helpers/helper.php was accepting arbitrary URLs and making HTTP requests without validation:

function lastrelease($url)
{
    // No URL validation - vulnerable to SSRF!
    $response = Http::get($url);
    return json_decode($response->body());
}

This allowed potential attacks like:

  • Requests to internal services (http://localhost:8080/admin)
  • Credential harvesting from metadata endpoints (http://169.254.169.254/)
  • Port scanning internal networks (http://192.168.1.1:22)

Security Fix

Added strict URL validation that only allows trusted GitHub API endpoints:

function is_trusted_github_api_url($url)
{
    $parsed = parse_url($url);
    
    // Only HTTPS to api.github.com
    if ($parsed['scheme'] !== 'https' || $parsed['host'] !== 'api.github.com') {
        return false;
    }
    
    // Only specific OpenSID repository endpoints
    $allowed_paths = [
        '/repos/OpenSID/rilis-premium/releases/latest',
        '/repos/OpenSID/rilis-pbb/releases/latest',
        '/repos/OpenSID/opendk/releases/latest',
        '/repos/OpenSID/rilis-opensid-api/releases/latest',
    ];
    
    return in_array($parsed['path'], $allowed_paths, true);
}

Changes Made

  1. Added URL validation function - is_trusted_github_api_url() with strict allowlist
  2. Enhanced lastrelease() function - Now validates URLs before making requests
  3. Updated axios dependency - Bumped from 0.28.1 to 0.30.1 for additional security fixes
  4. Comprehensive test coverage - 8 unit tests + 3 integration tests covering security scenarios

Security Benefits

  • Prevents SSRF attacks - Only trusted GitHub API endpoints allowed
  • Blocks credential leakage - No requests to metadata or internal services
  • Maintains functionality - All existing version check features continue working
  • Graceful degradation - Returns default versions when GitHub is unavailable

Testing

All security tests pass:

  • URL validation for trusted endpoints ✓
  • Rejection of malicious URLs ✓
  • SSRF attack prevention ✓
  • Existing functionality preservation ✓

The fix ensures that functions like lastrelease_opensid(), lastrelease_pbb(), etc. continue to work normally while preventing any unauthorized requests.

Fixes #532.

Warning

Firewall rules blocked me from connecting to one or more addresses (expand for details)

I tried to connect to the following addresses, but was blocked by firewall rules:

  • https://api.github.com/repos/CarbonPHP/carbon-doctrine-types/zipball/99f76ffa36cce3b70a4a6abce41dba15ca2e84cb
    • Triggering command: /usr/bin/php8.3 -n -c /tmp/UgwWRC /usr/bin/composer install --no-interaction --prefer-dist --optimize-autoloader (http block)
  • https://api.github.com/repos/CarbonPHP/carbon/zipball/9228ce90e1035ff2f0db84b40ec2e023ed802075
    • Triggering command: /usr/bin/php8.3 -n -c /tmp/UgwWRC /usr/bin/composer install --no-interaction --prefer-dist --optimize-autoloader (http block)
  • https://api.github.com/repos/ColorlibHQ/AdminLTE/zipball/bd4d9c72931f1dd28601b6bfb387554a381ad540
    • Triggering command: /usr/bin/php8.3 -n -c /tmp/UgwWRC /usr/bin/composer install --no-interaction --prefer-dist --optimize-autoloader (http block)
  • https://api.github.com/repos/FakerPHP/Faker/zipball/e0ee18eb1e6dc3cda3ce9fd97e5a0689a88a64b5
    • Triggering command: /usr/bin/php8.3 -n -c /tmp/UgwWRC /usr/bin/composer install --no-interaction --prefer-dist --optimize-autoloader (http block)
  • https://api.github.com/repos/GrahamCampbell/Result-Type/zipball/3ba905c11371512af9d9bdd27d99b782216b6945
    • Triggering command: /usr/bin/php8.3 -n -c /tmp/UgwWRC /usr/bin/composer install --no-interaction --prefer-dist --optimize-autoloader (http block)
  • https://api.github.com/repos/MarkBaker/PHPMatrix/zipball/728434227fe21be27ff6d86621a1b13107a2562c
    • Triggering command: /usr/bin/php8.3 -n -c /tmp/UgwWRC /usr/bin/composer install --no-interaction --prefer-dist --optimize-autoloader (http block)
  • https://api.github.com/repos/Seldaek/monolog/zipball/10d85740180ecba7896c87e06a166e0c95a0e3b6
    • Triggering command: /usr/bin/php8.3 -n -c /tmp/UgwWRC /usr/bin/composer install --no-interaction --prefer-dist --optimize-autoloader (http block)
  • https://api.github.com/repos/aws/aws-sdk-php/zipball/b2d4718786398f47626add9c29840fc416175ef2
    • Triggering command: /usr/bin/php8.3 -n -c /tmp/UgwWRC /usr/bin/composer install --no-interaction --prefer-dist --optimize-autoloader (http block)
  • https://api.github.com/repos/awslabs/aws-crt-php/zipball/d71d9906c7bb63a28295447ba12e74723bd3730e
    • Triggering command: /usr/bin/php8.3 -n -c /tmp/UgwWRC /usr/bin/composer install --no-interaction --prefer-dist --optimize-autoloader (http block)
  • https://api.github.com/repos/bobthecow/psysh/zipball/1b801844becfe648985372cb4b12ad6840245ace
    • Triggering command: /usr/bin/php8.3 -n -c /tmp/UgwWRC /usr/bin/composer install --no-interaction --prefer-dist --optimize-autoloader (http block)
  • https://api.github.com/repos/brick/math/zipball/866551da34e9a618e64a819ee1e01c20d8a588ba
    • Triggering command: /usr/bin/php8.3 -n -c /tmp/UgwWRC /usr/bin/composer install --no-interaction --prefer-dist --optimize-autoloader (http block)
  • https://api.github.com/repos/dflydev/dflydev-dot-access-data/zipball/a23a2bf4f31d3518f3ecb38660c95715dfead60f
    • Triggering command: /usr/bin/php8.3 -n -c /tmp/UgwWRC /usr/bin/composer install --no-interaction --prefer-dist --optimize-autoloader (http block)
  • https://api.github.com/repos/doctrine/dbal/zipball/1cf840d696373ea0d58ad0a8875c0fadcfc67214
    • Triggering command: /usr/bin/php8.3 -n -c /tmp/zyAXS7 /usr/bin/composer install --no-dev (http block)
  • https://api.github.com/repos/doctrine/deprecations/zipball/459c2f5dd3d6a4633d3b5f46ee2b1c40f57d3f38
    • Triggering command: /usr/bin/php8.3 -n -c /tmp/zyAXS7 /usr/bin/composer install --no-dev (http block)
  • https://api.github.com/repos/doctrine/event-manager/zipball/b680156fa328f1dfd874fd48c7026c41570b9c6e
    • Triggering command: /usr/bin/php8.3 -n -c /tmp/zyAXS7 /usr/bin/composer install --no-dev (http block)
  • https://api.github.com/repos/doctrine/inflector/zipball/5817d0659c5b50c9b950feb9af7b9668e2c436bc
    • Triggering command: /usr/bin/php8.3 -n -c /tmp/zyAXS7 /usr/bin/composer install --no-dev (http block)
    • Triggering command: /usr/bin/php8.3 -n -c /tmp/UgwWRC /usr/bin/composer install --no-interaction --prefer-dist --optimize-autoloader (http block)
  • https://api.github.com/repos/doctrine/lexer/zipball/31ad66abc0fc9e1a1f2d9bc6a42668d2fbbcd6dd
    • Triggering command: /usr/bin/php8.3 -n -c /tmp/zyAXS7 /usr/bin/composer install --no-dev (http block)
    • Triggering command: /usr/bin/php8.3 -n -c /tmp/UgwWRC /usr/bin/composer install --no-interaction --prefer-dist --optimize-autoloader (http block)
  • https://api.github.com/repos/dragonmantank/cron-expression/zipball/8c784d071debd117328803d86b2097615b457500
    • Triggering command: /usr/bin/php8.3 -n -c /tmp/UgwWRC /usr/bin/composer install --no-interaction --prefer-dist --optimize-autoloader (http block)
  • https://api.github.com/repos/egulias/EmailValidator/zipball/d42c8731f0624ad6bdc8d3e5e9a4524f68801cfa
    • Triggering command: /usr/bin/php8.3 -n -c /tmp/UgwWRC /usr/bin/composer install --no-interaction --prefer-dist --optimize-autoloader (http block)
  • https://api.github.com/repos/filp/whoops/zipball/59a123a3d459c5a23055802237cb317f609867e5
    • Triggering command: /usr/bin/php8.3 -n -c /tmp/UgwWRC /usr/bin/composer install --no-interaction --prefer-dist --optimize-autoloader (http block)
  • https://api.github.com/repos/fruitcake/php-cors/zipball/3d158f36e7875e2f040f37bc0573956240a5a38b
    • Triggering command: /usr/bin/php8.3 -n -c /tmp/UgwWRC /usr/bin/composer install --no-interaction --prefer-dist --optimize-autoloader (http block)
  • https://api.github.com/repos/guzzle/promises/zipball/7c69f28996b0a6920945dd20b3857e499d9ca96c
    • Triggering command: /usr/bin/php8.3 -n -c /tmp/UgwWRC /usr/bin/composer install --no-interaction --prefer-dist --optimize-autoloader (http block)
  • https://api.github.com/repos/guzzle/psr7/zipball/c2270caaabe631b3b44c85f99e5a04bbb8060d16
    • Triggering command: /usr/bin/php8.3 -n -c /tmp/UgwWRC /usr/bin/composer install --no-interaction --prefer-dist --optimize-autoloader (http block)
  • https://api.github.com/repos/guzzle/uri-template/zipball/30e286560c137526eccd4ce21b2de477ab0676d2
    • Triggering command: /usr/bin/php8.3 -n -c /tmp/UgwWRC /usr/bin/composer install --no-interaction --prefer-dist --optimize-autoloader (http block)
  • https://api.github.com/repos/jeroennoten/Laravel-AdminLTE/zipball/0269331f55fa8385413895225d6d89b85babe3de
    • Triggering command: /usr/bin/php8.3 -n -c /tmp/UgwWRC /usr/bin/composer install --no-interaction --prefer-dist --optimize-autoloader (http block)
  • https://api.github.com/repos/jmespath/jmespath.php/zipball/a2a865e05d5f420b50cc2f85bb78d565db12a6bc
    • Triggering command: /usr/bin/php8.3 -n -c /tmp/UgwWRC /usr/bin/composer install --no-interaction --prefer-dist --optimize-autoloader (http block)
  • https://api.github.com/repos/laravel/framework/zipball/8f7f9247cb8aad1a769d6b9815a6623d89b46b47
    • Triggering command: /usr/bin/php8.3 -n -c /tmp/UgwWRC /usr/bin/composer install --no-interaction --prefer-dist --optimize-autoloader (http block)
  • https://api.github.com/repos/laravel/prompts/zipball/7b4029a84c37cb2725fc7f011586e2997040bc95
    • Triggering command: /usr/bin/php8.3 -n -c /tmp/UgwWRC /usr/bin/composer install --no-interaction --prefer-dist --optimize-autoloader (http block)
  • https://api.github.com/repos/laravel/serializable-closure/zipball/4f48ade902b94323ca3be7646db16209ec76be3d
    • Triggering command: /usr/bin/php8.3 -n -c /tmp/UgwWRC /usr/bin/composer install --no-interaction --prefer-dist --optimize-autoloader (http block)
  • https://api.github.com/repos/laravel/tinker/zipball/22177cc71807d38f2810c6204d8f7183d88a57d3
    • Triggering command: /usr/bin/php8.3 -n -c /tmp/UgwWRC /usr/bin/composer install --no-interaction --prefer-dist --optimize-autoloader (http block)
  • https://api.github.com/repos/laravel/ui/zipball/7d6ffa38d79f19c9b3e70a751a9af845e8f41d88
    • Triggering command: /usr/bin/php8.3 -n -c /tmp/UgwWRC /usr/bin/composer install --no-interaction --prefer-dist --optimize-autoloader (http block)
  • https://api.github.com/repos/mockery/mockery/zipball/1f4efdd7d3beafe9807b08156dfcb176d18f1699
    • Triggering command: /usr/bin/php8.3 -n -c /tmp/UgwWRC /usr/bin/composer install --no-interaction --prefer-dist --optimize-autoloader (http block)
  • https://api.github.com/repos/nette/schema/zipball/da801d52f0354f70a638673c4a0f04e16529431d
    • Triggering command: /usr/bin/php8.3 -n -c /tmp/UgwWRC /usr/bin/composer install --no-interaction --prefer-dist --optimize-autoloader (http block)
  • https://api.github.com/repos/nette/utils/zipball/e67c4061eb40b9c113b218214e42cb5a0dda28f2
    • Triggering command: /usr/bin/php8.3 -n -c /tmp/UgwWRC /usr/bin/composer install --no-interaction --prefer-dist --optimize-autoloader (http block)
  • https://api.github.com/repos/nikic/PHP-Parser/zipball/ae59794362fe85e051a58ad36b289443f57be7a9
    • Triggering command: /usr/bin/php8.3 -n -c /tmp/UgwWRC /usr/bin/composer install --no-interaction --prefer-dist --optimize-autoloader (http block)
  • https://api.github.com/repos/nunomaduro/collision/zipball/f05978827b9343cba381ca05b8c7deee346b6015
    • Triggering command: /usr/bin/php8.3 -n -c /tmp/UgwWRC /usr/bin/composer install --no-interaction --prefer-dist --optimize-autoloader (http block)
  • https://api.github.com/repos/nunomaduro/termwind/zipball/5369ef84d8142c1d87e4ec278711d4ece3cbf301
    • Triggering command: /usr/bin/php8.3 -n -c /tmp/UgwWRC /usr/bin/composer install --no-interaction --prefer-dist --optimize-autoloader (http block)
  • https://api.github.com/repos/php-debugbar/php-debugbar/zipball/16fa68da5617220594aa5e33fa9de415f94784a0
    • Triggering command: /usr/bin/php8.3 -n -c /tmp/UgwWRC /usr/bin/composer install --no-interaction --prefer-dist --optimize-autoloader (http block)
  • https://api.github.com/repos/php-fig/clock/zipball/e41a24703d4560fd0acb709162f73b8adfc3aa0d
    • Triggering command: /usr/bin/php8.3 -n -c /tmp/UgwWRC /usr/bin/composer install --no-interaction --prefer-dist --optimize-autoloader (http block)
  • https://api.github.com/repos/php-fig/container/zipball/c71ecc56dfe541dbd90c5360474fbc405f8d5963
    • Triggering command: /usr/bin/php8.3 -n -c /tmp/UgwWRC /usr/bin/composer install --no-interaction --prefer-dist --optimize-autoloader (http block)
  • https://api.github.com/repos/php-fig/event-dispatcher/zipball/dbefd12671e8a14ec7f180cab83036ed26714bb0
    • Triggering command: /usr/bin/php8.3 -n -c /tmp/UgwWRC /usr/bin/composer install --no-interaction --prefer-dist --optimize-autoloader (http block)
  • https://api.github.com/repos/php-fig/http-factory/zipball/2b4765fddfe3b508ac62f829e852b1501d3f6e8a
    • Triggering command: /usr/bin/php8.3 -n -c /tmp/UgwWRC /usr/bin/composer install --no-interaction --prefer-dist --optimize-autoloader (http block)
  • https://api.github.com/repos/php-fig/http-message/zipball/402d35bcb92c70c026d1a6a9883f06b2ead23d71
    • Triggering command: /usr/bin/php8.3 -n -c /tmp/UgwWRC /usr/bin/composer install --no-interaction --prefer-dist --optimize-autoloader (http block)
  • https://api.github.com/repos/php-fig/log/zipball/f16e1d5863e37f8d8c2a01719f5b34baa2b714d3
    • Triggering command: /usr/bin/php8.3 -n -c /tmp/UgwWRC /usr/bin/composer install --no-interaction --prefer-dist --optimize-autoloader (http block)
  • https://api.github.com/repos/php-fig/simple-cache/zipball/764e0b3939f5ca87cb904f570ef9be2d78a07865
    • Triggering command: /usr/bin/php8.3 -n -c /tmp/UgwWRC /usr/bin/composer install --no-interaction --prefer-dist --optimize-autoloader (http block)
  • https://api.github.com/repos/ralouphie/getallheaders/zipball/120b605dfeb996808c31b6477290a714d356e822
    • Triggering command: /usr/bin/php8.3 -n -c /tmp/UgwWRC /usr/bin/composer install --no-interaction --prefer-dist --optimize-autoloader (http block)
  • https://api.github.com/repos/ramsey/collection/zipball/344572933ad0181accbf4ba763e85a0306a8c5e2
    • Triggering command: /usr/bin/php8.3 -n -c /tmp/UgwWRC /usr/bin/composer install --no-interaction --prefer-dist --optimize-autoloader (http block)
  • https://api.github.com/repos/ramsey/uuid/zipball/4e0e23cc785f0724a0e838279a9eb03f28b092a0
    • Triggering command: /usr/bin/php8.3 -n -c /tmp/UgwWRC /usr/bin/composer install --no-interaction --prefer-dist --optimize-autoloader (http block)
  • https://api.github.com/repos/schmittjoh/php-option/zipball/e3fac8b24f56113f7cb96af14958c0dd16330f54
    • Triggering command: /usr/bin/php8.3 -n -c /tmp/UgwWRC /usr/bin/composer install --no-interaction --prefer-dist --optimize-autoloader (http block)
  • https://api.github.com/repos/sebastianbergmann/object-reflector/zipball/b4f479ebdbf63ac605d183ece17d8d7fe49c15c7
    • Triggering command: /usr/bin/php8.3 -n -c /tmp/UgwWRC /usr/bin/composer install --no-interaction --prefer-dist --optimize-autoloader (http block)
  • https://api.github.com/repos/sebastianbergmann/recursion-context/zipball/e75bd0f07204fec2a0af9b0f3cfe97d05f92efc1
    • Triggering command: /usr/bin/php8.3 -n -c /tmp/UgwWRC /usr/bin/composer install --no-interaction --prefer-dist --optimize-autoloader (http block)
  • https://api.github.com/repos/sebastianbergmann/resource-operations/zipball/05d5692a7993ecccd56a03e40cd7e5b09b1d404e
    • Triggering command: /usr/bin/php8.3 -n -c /tmp/UgwWRC /usr/bin/composer install --no-interaction --prefer-dist --optimize-autoloader (http block)
  • https://api.github.com/repos/sebastianbergmann/type/zipball/75e2c2a32f5e0b3aef905b9ed0b179b953b3d7c7
    • Triggering command: /usr/bin/php8.3 -n -c /tmp/UgwWRC /usr/bin/composer install --no-interaction --prefer-dist --optimize-autoloader (http block)
  • https://api.github.com/repos/sebastianbergmann/version/zipball/c6c1022351a901512170118436c764e473f6de8c
    • Triggering command: /usr/bin/php8.3 -n -c /tmp/UgwWRC /usr/bin/composer install --no-interaction --prefer-dist --optimize-autoloader (http block)
  • https://api.github.com/repos/symfony/console/zipball/9056771b8eca08d026cd3280deeec3cfd99c4d93
    • Triggering command: /usr/bin/php8.3 -n -c /tmp/UgwWRC /usr/bin/composer install --no-interaction --prefer-dist --optimize-autoloader (http block)
  • https://api.github.com/repos/symfony/css-selector/zipball/cb23e97813c5837a041b73a6d63a9ddff0778f5e
    • Triggering command: /usr/bin/php8.3 -n -c /tmp/UgwWRC /usr/bin/composer install --no-interaction --prefer-dist --optimize-autoloader (http block)
  • https://api.github.com/repos/symfony/deprecation-contracts/zipball/63afe740e99a13ba87ec199bb07bbdee937a5b62
    • Triggering command: /usr/bin/php8.3 -n -c /tmp/UgwWRC /usr/bin/composer install --no-interaction --prefer-dist --optimize-autoloader (http block)
  • https://api.github.com/repos/symfony/error-handler/zipball/b088e0b175c30b4e06d8085200fa465b586f44fa
    • Triggering command: /usr/bin/php8.3 -n -c /tmp/UgwWRC /usr/bin/composer install --no-interaction --prefer-dist --optimize-autoloader (http block)
  • https://api.github.com/repos/symfony/event-dispatcher-contracts/zipball/59eb412e93815df44f05f342958efa9f46b1e586
    • Triggering command: /usr/bin/php8.3 -n -c /tmp/UgwWRC /usr/bin/composer install --no-interaction --prefer-dist --optimize-autoloader (http block)
  • https://api.github.com/repos/symfony/event-dispatcher/zipball/0ffc48080ab3e9132ea74ef4e09d8dcf26bf897e
    • Triggering command: /usr/bin/php8.3 -n -c /tmp/UgwWRC /usr/bin/composer install --no-interaction --prefer-dist --optimize-autoloader (http block)
  • https://api.github.com/repos/symfony/finder/zipball/1d0e8266248c5d9ab6a87e3789e6dc482af3c9c7
    • Triggering command: /usr/bin/php8.3 -n -c /tmp/UgwWRC /usr/bin/composer install --no-interaction --prefer-dist --optimize-autoloader (http block)
  • https://api.github.com/repos/symfony/http-foundation/zipball/0341e41d8d8830c31a1dff5cbc5bdb3ec872a073
    • Triggering command: /usr/bin/php8.3 -n -c /tmp/UgwWRC /usr/bin/composer install --no-interaction --prefer-dist --optimize-autoloader (http block)
  • https://api.github.com/repos/symfony/http-kernel/zipball/2bb2cba685aabd859f22cf6946554e8e7f3c329a
    • Triggering command: /usr/bin/php8.3 -n -c /tmp/UgwWRC /usr/bin/composer install --no-interaction --prefer-dist --optimize-autoloader (http block)
  • https://api.github.com/repos/symfony/mailer/zipball/a480322ddf8e54de262c9bca31fdcbe26b553de5
    • Triggering command: /usr/bin/php8.3 -n -c /tmp/UgwWRC /usr/bin/composer install --no-interaction --prefer-dist --optimize-autoloader (http block)
  • https://api.github.com/repos/symfony/mime/zipball/fec8aa5231f3904754955fad33c2db50594d22d1
    • Triggering command: /usr/bin/php8.3 -n -c /tmp/UgwWRC /usr/bin/composer install --no-interaction --prefer-dist --optimize-autoloader (http block)
  • https://api.github.com/repos/symfony/polyfill-ctype/zipball/a3cc8b044a6ea513310cbd48ef7333b384945638
    • Triggering command: /usr/bin/php8.3 -n -c /tmp/UgwWRC /usr/bin/composer install --no-interaction --prefer-dist --optimize-autoloader (http block)
  • https://api.github.com/repos/symfony/polyfill-intl-grapheme/zipball/b9123926e3b7bc2f98c02ad54f6a4b02b91a8abe
    • Triggering command: /usr/bin/php8.3 -n -c /tmp/UgwWRC /usr/bin/composer install --no-interaction --prefer-dist --optimize-autoloader (http block)
  • https://api.github.com/repos/symfony/polyfill-intl-idn/zipball/9614ac4d8061dc257ecc64cba1b140873dce8ad3
    • Triggering command: /usr/bin/php8.3 -n -c /tmp/UgwWRC /usr/bin/composer install --no-interaction --prefer-dist --optimize-autoloader (http block)
  • https://api.github.com/repos/symfony/polyfill-intl-normalizer/zipball/3833d7255cc303546435cb650316bff708a1c75c
    • Triggering command: /usr/bin/php8.3 -n -c /tmp/UgwWRC /usr/bin/composer install --no-interaction --prefer-dist --optimize-autoloader (http block)
  • https://api.github.com/repos/symfony/polyfill-mbstring/zipball/6d857f4d76bd4b343eac26d6b539585d2bc56493
    • Triggering command: /usr/bin/php8.3 -n -c /tmp/UgwWRC /usr/bin/composer install --no-interaction --prefer-dist --optimize-autoloader (http block)
  • https://api.github.com/repos/symfony/polyfill-php80/zipball/0cc9dd0f17f61d8131e7df6b84bd344899fe2608
    • Triggering command: /usr/bin/php8.3 -n -c /tmp/UgwWRC /usr/bin/composer install --no-interaction --prefer-dist --optimize-autoloader (http block)
  • https://api.github.com/repos/symfony/polyfill-php83/zipball/2fb86d65e2d424369ad2905e83b236a8805ba491
    • Triggering command: /usr/bin/php8.3 -n -c /tmp/UgwWRC /usr/bin/composer install --no-interaction --prefer-dist --optimize-autoloader (http block)
  • https://api.github.com/repos/symfony/polyfill-uuid/zipball/21533be36c24be3f4b1669c4725c7d1d2bab4ae2
    • Triggering command: /usr/bin/php8.3 -n -c /tmp/UgwWRC /usr/bin/composer install --no-interaction --prefer-dist --optimize-autoloader (http block)
  • https://api.github.com/repos/symfony/process/zipball/8eb6dc555bfb49b2703438d5de65cc9f138ff50b
    • Triggering command: /usr/bin/php8.3 -n -c /tmp/UgwWRC /usr/bin/composer install --no-interaction --prefer-dist --optimize-autoloader (http block)
  • https://api.github.com/repos/symfony/routing/zipball/1f5234e8457164a3a0038a4c0a4ba27876a9c670
    • Triggering command: /usr/bin/php8.3 -n -c /tmp/UgwWRC /usr/bin/composer install --no-interaction --prefer-dist --optimize-autoloader (http block)
  • https://api.github.com/repos/symfony/service-contracts/zipball/f021b05a130d35510bd6b25fe9053c2a8a15d5d4
    • Triggering command: /usr/bin/php8.3 -n -c /tmp/UgwWRC /usr/bin/composer install --no-interaction --prefer-dist --optimize-autoloader (http block)
  • https://api.github.com/repos/symfony/string/zipball/73e2c6966a5aef1d4892873ed5322245295370c6
    • Triggering command: /usr/bin/php8.3 -n -c /tmp/UgwWRC /usr/bin/composer install --no-interaction --prefer-dist --optimize-autoloader (http block)
  • https://api.github.com/repos/symfony/translation-contracts/zipball/df210c7a2573f1913b2d17cc95f90f53a73d8f7d
    • Triggering command: /usr/bin/php8.3 -n -c /tmp/UgwWRC /usr/bin/composer install --no-interaction --prefer-dist --optimize-autoloader (http block)
  • https://api.github.com/repos/symfony/translation/zipball/de8afa521e04a5220e9e58a1dc99971ab7cac643
    • Triggering command: /usr/bin/php8.3 -n -c /tmp/UgwWRC /usr/bin/composer install --no-interaction --prefer-dist --optimize-autoloader (http block)
  • https://api.github.com/repos/symfony/uid/zipball/9c8592da78d7ee6af52011eef593350d87e814c0
    • Triggering command: /usr/bin/php8.3 -n -c /tmp/UgwWRC /usr/bin/composer install --no-interaction --prefer-dist --optimize-autoloader (http block)
  • https://api.github.com/repos/symfony/var-dumper/zipball/d55b1834cdbfcc31bc2cd7e095ba5ed9a88f6600
    • Triggering command: /usr/bin/php8.3 -n -c /tmp/UgwWRC /usr/bin/composer install --no-interaction --prefer-dist --optimize-autoloader (http block)
  • https://api.github.com/repos/thephpleague/commonmark/zipball/10732241927d3971d28e7ea7b5712721fa2296ca
    • Triggering command: /usr/bin/php8.3 -n -c /tmp/UgwWRC /usr/bin/composer install --no-interaction --prefer-dist --optimize-autoloader (http block)
  • https://api.github.com/repos/thephpleague/config/zipball/754b3604fb2984c71f4af4a9cbe7b57f346ec1f3
    • Triggering command: /usr/bin/php8.3 -n -c /tmp/UgwWRC /usr/bin/composer install --no-interaction --prefer-dist --optimize-autoloader (http block)
  • https://api.github.com/repos/thephpleague/flysystem-aws-s3-v3/zipball/c6ff6d4606e48249b63f269eba7fabdb584e76a9
    • Triggering command: /usr/bin/php8.3 -n -c /tmp/UgwWRC /usr/bin/composer install --no-interaction --prefer-dist --optimize-autoloader (http block)
  • https://api.github.com/repos/thephpleague/flysystem-local/zipball/6691915f77c7fb69adfb87dcd550052dc184ee10
    • Triggering command: /usr/bin/php8.3 -n -c /tmp/UgwWRC /usr/bin/composer install --no-interaction --prefer-dist --optimize-autoloader (http block)
  • https://api.github.com/repos/thephpleague/flysystem/zipball/2203e3151755d874bb2943649dae1eb8533ac93e
    • Triggering command: /usr/bin/php8.3 -n -c /tmp/UgwWRC /usr/bin/composer install --no-interaction --prefer-dist --optimize-autoloader (http block)
  • https://api.github.com/repos/thephpleague/mime-type-detection/zipball/2d6702ff215bf922936ccc1ad31007edc76451b9
    • Triggering command: /usr/bin/php8.3 -n -c /tmp/UgwWRC /usr/bin/composer install --no-interaction --prefer-dist --optimize-autoloader (http block)
  • https://api.github.com/repos/tijsverkoyen/CssToInlineStyles/zipball/0d72ac1c00084279c1816675284073c5a337c20d
    • Triggering command: /usr/bin/php8.3 -n -c /tmp/UgwWRC /usr/bin/composer install --no-interaction --prefer-dist --optimize-autoloader (http block)
  • https://api.github.com/repos/vlucas/phpdotenv/zipball/24ac4c74f91ee2c193fa1aaa5c249cb0822809af
    • Triggering command: /usr/bin/php8.3 -n -c /tmp/UgwWRC /usr/bin/composer install --no-interaction --prefer-dist --optimize-autoloader (http block)
  • https://api.github.com/repos/voku/portable-ascii/zipball/b1d923f88091c6bf09699efcd7c8a1b1bfd7351d
    • Triggering command: /usr/bin/php8.3 -n -c /tmp/UgwWRC /usr/bin/composer install --no-interaction --prefer-dist --optimize-autoloader (http block)
  • https://api.github.com/repos/webmozarts/assert/zipball/11cb2199493b2f8a3b53e7f19068fc6aac760991
    • Triggering command: /usr/bin/php8.3 -n -c /tmp/UgwWRC /usr/bin/composer install --no-interaction --prefer-dist --optimize-autoloader (http block)
  • https://api.github.com/repos/yajra/laravel-datatables/zipball/a11dc9cf5ec7f7dc68ad0d5959c5e7aec0af29a5
    • Triggering command: /usr/bin/php8.3 -n -c /tmp/UgwWRC /usr/bin/composer install --no-interaction --prefer-dist --optimize-autoloader (http block)

If you need me to access, download, or install something from one of these locations, you can either:

💬 Share your feedback on Copilot coding agent for the chance to win a $200 gift card! Click here to start the survey.

Copy link
Copy Markdown
Contributor Author

Copilot AI commented Sep 17, 2025

@vickyrolanda 👋 This repository doesn't have Copilot instructions. With Copilot instructions, I can understand the repository better, work faster and produce higher quality PRs.

I can generate a .github/copilot-instructions.md file for you automatically. Click here to open a pre-filled issue and assign it to me. I'll write the instructions, and then tag you for review.

Copilot AI and others added 3 commits September 17, 2025 05:42
@vickyrolanda
Initial analysis of SSRF vulnerability in lastrelease function
2338bf5 
Co-authored-by: vickyrolanda <59082428+vickyrolanda@users.noreply.github.com>
@vickyrolanda
Fix SSRF vulnerability by implementing URL validation in lastrelease …
d5948a7 
…function

Co-authored-by: vickyrolanda <59082428+vickyrolanda@users.noreply.github.com>
@vickyrolanda
Add integration tests and clean up build artifacts from repository
8f81169 
Co-authored-by: vickyrolanda <59082428+vickyrolanda@users.noreply.github.com>
Copilot AI changed the title [WIP] axios Requests Vulnerable To Possible SSRF and Credential Leakage via Absolute URL Fix SSRF vulnerability in lastrelease function by implementing URL validation Sep 17, 2025
Copilot AI requested a review from vickyrolanda September 17, 2025 05:58
@vickyrolanda vickyrolanda removed their request for review October 13, 2025 17:58
@vickyrolanda vickyrolanda added this to the M3 Pantau 2511 milestone Oct 15, 2025
@habibie11 habibie11 moved this from Target to Sedang Dikerjakan in Selain OpenSID 2512 Oct 17, 2025
@habibie11 habibie11 moved this from Sedang Dikerjakan to Cek Issue in Selain OpenSID 2512 Oct 17, 2025
@habibie11 habibie11 marked this pull request as ready for review October 17, 2025 02:33
@habibie11 habibie11 changed the base branch from master to rilis-dev October 17, 2025 02:35
@habibie11 habibie11 moved this from Cek Issue to Sedang Dikerjakan in Selain OpenSID 2512 Oct 17, 2025
@habibie11
Copy link
Copy Markdown
Contributor

habibie11 commented Oct 17, 2025

OK

@habibie11 habibie11 moved this from Sedang Dikerjakan to Siap Review in Selain OpenSID 2512 Oct 17, 2025
@vickyrolanda vickyrolanda merged commit cbc947f into rilis-dev Oct 22, 2025
1 check failed
@vickyrolanda vickyrolanda deleted the copilot/fix-532 branch October 22, 2025 03:11
@vickyrolanda vickyrolanda moved this from Siap Review to Selesai in Selain OpenSID 2512 Oct 22, 2025
@vickyrolanda vickyrolanda removed this from the M3 Pantau 2511 milestone Oct 22, 2025
@vickyrolanda vickyrolanda added this to the M4 Pantau 2511 milestone Oct 22, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

@habibie11 habibie11

Labels

T1

Projects

None yet

Milestone

M4 Pantau 2511

Development

Successfully merging this pull request may close these issues.

axios Requests Vulnerable To Possible SSRF and Credential Leakage via Absolute URL

3 participants

@habibie11 @vickyrolanda