Skip to content

Security: Add URL validation to prevent SSRF attacks#37

Open
Jah-yee wants to merge 1 commit intogarrytan:mainfrom
Jah-yee:fix/ssrf-url-validation
Open

Security: Add URL validation to prevent SSRF attacks#37
Jah-yee wants to merge 1 commit intogarrytan:mainfrom
Jah-yee:fix/ssrf-url-validation

Conversation

@Jah-yee
Copy link

@Jah-yee Jah-yee commented Mar 13, 2026

Summary

Adds URL validation to prevent Server-Side Request Forgery (SSRF) and local file access attacks.

Changes

  • Added validateUrl() function to block file://, data://, and other dangerous protocols
  • Block localhost, 127.0.0.1, and .local domains
  • Applied validation to goto command and newTab method

Addresses

Security Impact

This prevents attackers from:

  • Accessing internal services via localhost/127.0.0.1
  • Reading local files via file:// protocol
  • Exploiting cloud metadata endpoints (AWS, GCP, Azure)

@penggaolai
Security: Add URL validation to prevent SSRF attacks
954b1fc 
- Added validateUrl() function to block file://, data:, and other dangerous protocols
- Block localhost, 127.0.0.1, and .local domains
- Applied validation to goto command and newTab method
- Addresses issue garrytan#17: SSRF and local resource access via unrestricted URL handling
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@Jah-yee @penggaolai