Merge branch 'master' into encrypt-jwt-value

timothycarambat · web-flow · commit d92fb7857c64 · 2024-08-13T17:53:55.000-07:00
diff --git a/collector/utils/url/index.js b/collector/utils/url/index.js
@@ -1,3 +1,16 @@
+/**  ATTN: SECURITY RESEARCHERS
+ * To Security researchers about to submit an SSRF report CVE - please don't.
+ * We are aware that the code below is does not defend against any of the thousands of ways
+ * you can map a hostname to another IP. The code below does not have intention of blocking this
+ * and is simply to prevent the user from accidentally putting in non-valid websites, which is all this protects
+ * since _all urls must be submitted by the user anyway_ and cannot be done with authentication and manager or admin roles.
+ * If an attacker has those roles then the system is already vulnerable and this is not a primary concern.
+ * 
+ * We have gotten this report may times, marked them as duplicate or information and continue to get them. We communicate
+ * already that deployment (and security) of an instance is on the deployer and system admin deploying it. This would include
+ * isolation, firewalls, and the general security of the instance.
+*/
+
 const VALID_PROTOCOLS = ["https:", "http:"];
 const INVALID_OCTETS = [192, 172, 10, 127];
 
@@ -19,7 +32,7 @@ function validURL(url) {
     if (!VALID_PROTOCOLS.includes(destination.protocol)) return false;
     if (isInvalidIp(destination)) return false;
     return true;
-  } catch {}
+  } catch { }
   return false;
 }
 
