Skip to content

fix(security): restrict download URL override to HTTPS only [DEVA11Y-479]#19

Open
sunny-se wants to merge 1 commit into
mainfrom
fix/DEVA11Y-479-block-file-scheme
Open

fix(security): restrict download URL override to HTTPS only [DEVA11Y-479]#19
sunny-se wants to merge 1 commit into
mainfrom
fix/DEVA11Y-479-block-file-scheme

Conversation

@sunny-se
Copy link
Copy Markdown
Collaborator

@sunny-se sunny-se commented May 26, 2026
edited by atlassian Bot
Loading

Summary

  • CWE-918 (SSRF)parseOverride() accepted file:// URLs and bare file paths in --download-url / env var, allowing local-file read and SSRF via bsdtar extraction (CVSS 8.1 High)
  • Restricted to HTTPS-only; http, file, and bare paths now throw PluginError with clear message
  • No functional change for legitimate users — production download URLs are always HTTPS

Verification

  1. Pass --download-url file:///etc/passwd → should get PluginError: Unsupported URL scheme 'file'
  2. Pass --download-url /tmp/evil.tar.gz → should get PluginError: Invalid download URL
  3. Pass --download-url http://internal:9090/... → should get PluginError: Unsupported URL scheme 'http'
  4. Pass valid --download-url https://... → works as before

Jira

DEVA11Y-479

🤖 Generated with Claude Code

@sunny-se @claude
fix(security): restrict download URL override to HTTPS only
7e92021 
F-008 / DEVA11Y-479 — parseOverride() accepted file:// URLs and bare
paths (CWE-918), enabling SSRF and local-file exfiltration via bsdtar.
Restrict to HTTPS-only to prevent local file access.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
@sunny-se sunny-se requested a review from a team as a code owner May 26, 2026 09:00
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@sunny-se