Skip to content

chore: Potential fix for code scanning alert no. 34: Server-side request forgery #393

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
DerekRoberts merged 4 commits into from
Dec 8, 2025
Merged

chore: Potential fix for code scanning alert no. 34: Server-side request forgery #393

DerekRoberts merged 4 commits into from
Dec 8, 2025

Conversation

@DerekRoberts
Copy link
Member

@DerekRoberts DerekRoberts commented Dec 7, 2025
edited by github-actions bot
Loading

Potential fix for https://github.com/bcgov/quickstart-openshift-backends/security/code-scanning/34

To fix the SSRF risk, we must prevent arbitrary URLs from being used for downloads. The best approach is to restrict the allowable URLs to an authorized list or ensure they match a safe prefix (e.g., only allow downloads from “https://repo.maven.apache.org/maven2/” or another expected Maven repository domain). Practically, in this code, we should validate wrapperUrl after parsing and before initiating any download: either by checking the domain and scheme are expected values or matching the URL against a whitelist of allowed URLs. Editing is required primarily in the logic just after parsing the URL (i.e., after line 49 but before passing to downloadFileFromURL). If the URL does not meet the criteria, exit with an error message.

Specifically:

  • Add a check right after creating wrapperUrl in main.
  • Accept only URLs with scheme https and host equal to a well-known Maven server (e.g., "repo.maven.apache.org"), or a few such hosts if needed.
  • If the check fails, print an error to stderr and exit.
  • No extra dependencies are needed: URL parsing is part of the standard library.

Suggested fixes powered by Copilot Autofix. Review carefully before merging.

Thanks for the PR!

Deployments, as required, will be available below:

Please create PRs in draft mode. Mark as ready to enable:

After merge, new images are deployed in:

@DerekRoberts @github-advanced-security
chore: Potential fix for code scanning alert no. 34: Server-side requ…
2886534 
…est forgery

Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>
@DerekRoberts DerekRoberts changed the title Potential fix for code scanning alert no. 34: Server-side request forgery chore: Potential fix for code scanning alert no. 34: Server-side request forgery Dec 7, 2025
@DerekRoberts DerekRoberts marked this pull request as ready for review December 7, 2025 20:25
Copilot AI review requested due to automatic review settings December 7, 2025 20:25
Copilot AI reviewed Dec 7, 2025
View reviewed changes
Copy link
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR addresses a code scanning alert for Server-Side Request Forgery (SSRF) vulnerability in the Maven Wrapper downloader by implementing URL validation with an allowlist of trusted Maven repository hosts. The fix prevents arbitrary URLs from being used for downloads by validating both the protocol (HTTPS only) and the host (restricted to known Maven repositories) before initiating any download operations.

Key Changes:

  • Added SSRF protection through URL validation in MavenWrapperDownloader
  • Implemented allowlist validation for Maven repository hosts (repo.maven.apache.org and repo1.maven.org)
  • Enforced HTTPS-only protocol with early exit on validation failure

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

@DerekRoberts
Update backend-java/.mvn/wrapper/MavenWrapperDownloader.java
9290300 
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
Copilot AI mentioned this pull request Dec 7, 2025
Merged
4 tasks
Copy link
Contributor

Copilot AI commented Dec 7, 2025

@DerekRoberts I've opened a new pull request, #397, to work on those changes. Once the pull request is ready, I'll request review from you.

@DerekRoberts
chore: refactor URL validation into dedicated method (#397)
34d5519 
Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com>
Co-authored-by: DerekRoberts <4391600+DerekRoberts@users.noreply.github.com>
@DerekRoberts DerekRoberts self-assigned this Dec 8, 2025
@DerekRoberts
Merge main into alert-autofix-34: combine SSRF and path traversal fixes
e43b0de 
Combines security fixes from both PRs:
- SSRF protection: URL validation with allowlist (from alert-autofix-34)
- Path traversal protection: baseDir validation and symlink resolution (from main)
@DerekRoberts DerekRoberts merged commit 953a3ec into main Dec 8, 2025
18 checks passed
@DerekRoberts DerekRoberts deleted the alert-autofix-34 branch December 8, 2025 02:11
@github-project-automation github-project-automation bot moved this from New to Done in DevOps (NR) Dec 8, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@mishraomp mishraomp Awaiting requested review from mishraomp mishraomp is a code owner

Assignees

@DerekRoberts DerekRoberts

Labels

None yet

Projects

DevOps (NR)
Archived in project

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@DerekRoberts