Skip to content

Fix SSRF + bump version #3498

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 7 commits into from
Jun 27, 2025
Merged

Fix SSRF + bump version #3498

merged 7 commits into from
Jun 27, 2025

Conversation

ildyria
Copy link
Member

@ildyria ildyria commented Jun 26, 2025
edited
Loading

@BaranTeyin1 here is the fix which should hopefully cover about all the edge cases I could think of.

This pull request introduces a new validation rule for photo URLs, enhances configuration options for URL import security, and updates the application version. The most important changes include the addition of the PhotoUrlRule class for URL validation, updates to the FromUrlRequest rules to use this new validation rule, and the inclusion of database migrations for new configuration settings. Additionally, unit tests have been added to ensure the correctness of the new validation logic.

Validation Enhancements

  • Added the PhotoUrlRule class to validate photo URLs, ensuring they are syntactically correct and comply with security restrictions such as requiring HTTPS, disallowing private IPs, and forbidding certain ports (app/Rules/PhotoUrlRule.php).
  • Updated the FromUrlRequest rules to apply the PhotoUrlRule for validating individual URLs in the urls array (app/Http/Requests/Photo/FromUrlRequest.php). [1] [2]

Configuration Updates

  • Introduced a new migration to add configurable options for URL import security, including settings to require HTTPS, disallow private IPs, forbid localhost, and restrict ports to 80/443 (database/migrations/2025_06_26_102340_parse_url_options.php).

Testing Improvements

  • Added comprehensive unit tests for the PhotoUrlRule to validate various scenarios, such as invalid URLs, forbidden schemes, and restricted ports or IPs (tests/Unit/Rules/PhotoUrlRuleTest.php).

Version Update

  • Updated the application version from 6.6.12 to 6.6.13 to reflect the new features and changes (version.md, database/migrations/2025_06_26_115949_bump_version060613.php). [1] [2]

@ildyria ildyria requested a review from a team as a code owner June 26, 2025 12:02
@ildyria ildyria added Review: easy Easy review expected: probably just need a quick to go through. High Priority High priority issues labels Jun 26, 2025
@BaranTeyin1
Copy link

Thanks for the fix and for taking care of this.

@codecov Codecov
Copy link

codecov bot commented Jun 26, 2025
edited
Loading

Codecov Report

All modified and coverable lines are covered by tests ✅

Project coverage is 90.04%. Comparing base (e05d9d7) to head (c587f94).
Report is 1 commits behind head on master.

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
  • 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

@ildyria ildyria merged commit 9dc162e into master Jun 27, 2025
35 checks passed
@ildyria ildyria deleted the fix-ssrf branch June 27, 2025 08:17
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@JasonMillward JasonMillward JasonMillward approved these changes

Assignees
No one assigned
Labels
High Priority High priority issues Review: easy Easy review expected: probably just need a quick to go through.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@ildyria @BaranTeyin1 @JasonMillward