Skip to content

Security: Validate URLs to prevent SSRF and local resource access#20

Closed
fredluz wants to merge 1 commit intogarrytan:mainfrom
fredluz:fix/ssrf-url-validation
Closed

Security: Validate URLs to prevent SSRF and local resource access#20
fredluz wants to merge 1 commit intogarrytan:mainfrom
fredluz:fix/ssrf-url-validation

Conversation

@fredluz
Copy link
Copy Markdown

@fredluz fredluz commented Mar 12, 2026

Summary

  • Adds browse/src/url-validation.ts with a validateUrl() function that blocks dangerous URL schemes (file://, data:, etc.) and private/internal IP addresses (127.0.0.0/8, 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16, 169.254.0.0/16, ::1, fc00::/7, localhost)
  • Applies URL validation before every page.goto() call in three locations: goto command, newTab(), and diff command
  • Only http: and https: schemes are allowed by default
  • Can be bypassed with BROWSE_ALLOW_PRIVATE=1 env var for legitimate local development

Fixes #17

Test plan

  • Verify browse goto file:///etc/passwd is blocked with a clear error
  • Verify browse goto http://169.254.169.254/latest/meta-data/ is blocked
  • Verify browse goto http://127.0.0.1:3000 is blocked
  • Verify browse goto http://10.0.0.1 is blocked
  • Verify browse goto https://example.com still works
  • Verify BROWSE_ALLOW_PRIVATE=1 browse goto http://localhost:3000 is allowed
  • Verify browse diff http://127.0.0.1 https://example.com is blocked
  • Verify browse newtab file:///etc/hosts is blocked

🤖 Generated with Claude Code

@fredluz @claude
Security: validate URLs to prevent SSRF and local resource access
37ef25c 
Add url-validation.ts that blocks file:// URLs, private/internal IPs
(127.0.0.0/8, 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16, 169.254.0.0/16,
::1, fc00::/7), and non-HTTP schemes before any page.goto() call.

Applied in all three navigation points: goto command, newTab(), and diff.
Bypass with BROWSE_ALLOW_PRIVATE=1 for local development.

Fixes garrytan#17

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
@fredluz fredluz closed this Mar 12, 2026
rafiulnakib pushed a commit to rafiulnakib/gstack that referenced this pull request Mar 26, 2026
feat: address all visualizer (garrytan#19-garrytan#21) and resolver (g…
331bee4 
…arrytan#15-garrytan#18) limitations

Visualizer: progressive disclosure with route-level expand/collapse (garrytan#19),
interactive toolbar with search/filter/depth slider (garrytan#20),
terminal ASCII output with ANSI colors (garrytan#21).
Resolvers: staleness sync with auto-reconciliation (garrytan#15),
atomic file locking with O_CREAT|O_EXCL (garrytan#16),
15-component spot-check with thorough mode (garrytan#17),
fuzzy anti-pattern matching with Levenshtein + synonyms (garrytan#18).
Product map: export mode (garrytan#11), shared map with feature merge (garrytan#12),
tiered compression (garrytan#13), enhanced bootstrap fallback (garrytan#14).
@rafiulnakib rafiulnakib mentioned this pull request Mar 26, 2026
Closed
nczempin added a commit to nczempin/gstack that referenced this pull request Mar 30, 2026
@nczempin @claude
DC-20 untrack bin/gstack-global-discover binary
0e708c1 
Binary was tracked by upstream (garrytan/gstack) due to historical mistake.
The file is in .gitignore but was committed before the rule took effect.
This commit removes it from the index while keeping the local file.

Closes garrytan#20

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
mengtanx pushed a commit to mengtanx/gstack that referenced this pull request Apr 6, 2026
Merge pull request garrytan#20 from MkSaaSHQ/drizzle-postgres
d7b23c6 
refactor middleware for better session handling
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

[Security] SSRF and local resource access via unrestricted URL handling

1 participant

@fredluz