Skip to content

Fix SSRF vulnerability in lastrelease function by implementing URL validation #564

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
vickyrolanda merged 5 commits into from
Oct 22, 2025
Merged

Fix SSRF vulnerability in lastrelease function by implementing URL validation #564

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
5 commits
Select commit Hold shift + click to select a range
9b48b96
Initial plan
Copilot Sep 17, 2025
2338bf5
Initial analysis of SSRF vulnerability in lastrelease function
Copilot Sep 17, 2025
d5948a7
Fix SSRF vulnerability by implementing URL validation in lastrelease …
Copilot Sep 17, 2025
8f81169
Add integration tests and clean up build artifacts from repository
Copilot Sep 17, 2025
57c2d6a
Merge branch 'rilis-dev' into copilot/fix-532
habibie11 Oct 17, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
5 changes: 5 additions & 0 deletions .gitignore
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -17,6 +17,11 @@ yarn-error.log
/.vscode
/backup

# Build artifacts
/public/js/app.js
/public/css/app.css
/public/mix-manifest.json

# E2E Testing
/test-results/
/playwright-report/
Expand Down
49 changes: 47 additions & 2 deletions app/Helpers/helper.php
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -114,15 +114,60 @@ function fixDomainName($url = '')
}
}

if (! function_exists('is_trusted_github_api_url')) {
/**
* Validate that the URL is a trusted GitHub API endpoint to prevent SSRF attacks.
*
* @param string $url
* @return bool
*/
function is_trusted_github_api_url($url)
{
// Parse the URL to validate its components
$parsed = parse_url($url);

if (!$parsed || !isset($parsed['scheme'], $parsed['host'], $parsed['path'])) {
return false;
}

// Only allow HTTPS
if ($parsed['scheme'] !== 'https') {
return false;
}

// Only allow api.github.com domain
if ($parsed['host'] !== 'api.github.com') {
return false;
}

// Allow only specific trusted OpenSID repository release endpoints
$allowed_paths = [
'/repos/OpenSID/rilis-premium/releases/latest',
'/repos/OpenSID/rilis-pbb/releases/latest',
'/repos/OpenSID/opendk/releases/latest',
'/repos/OpenSID/rilis-opensid-api/releases/latest',
];

return in_array($parsed['path'], $allowed_paths, true);
}
}

if (! function_exists('lastrelease')) {
/**
* Validasi domain.
* Get latest release from trusted GitHub API endpoints.
*
* Security: Only allows requests to trusted GitHub API endpoints to prevent SSRF attacks.
*
* @param string $url
* @return object
* @return object|false
*/
function lastrelease($url)
{
// Security: Validate that the URL is a trusted GitHub API endpoint
if (!is_trusted_github_api_url($url)) {
return false;
}

try {
$response = Http::withHeaders([
'Accept' => 'application/vnd.github.v3+json',
Expand Down
Loading
Loading