Description
The GitRepositoryFactory.create_from_url method in src/api/query/infrastructure/git_repository.py currently accepts any hostname containing /blob/ or /-/blob/ patterns. If the URL is user-controlled, this could allow requests to internal services (SSRF vulnerability).
Suggested Mitigation
Consider implementing one or both of these approaches:
- Enforce a configurable allowlist of permitted hostnames
- Block IP literals, localhost, and private/loopback/reserved IP ranges using Python's
ipaddress module
Validation should occur in create_from_url after parsing the URL and before instantiating repository instances.
References
Context
This issue was identified during review of PR #181 and marked as out-of-scope for that PR. This issue tracks the follow-up work.
Description
The
GitRepositoryFactory.create_from_urlmethod insrc/api/query/infrastructure/git_repository.pycurrently accepts any hostname containing/blob/or/-/blob/patterns. If the URL is user-controlled, this could allow requests to internal services (SSRF vulnerability).Suggested Mitigation
Consider implementing one or both of these approaches:
ipaddressmoduleValidation should occur in
create_from_urlafter parsing the URL and before instantiating repository instances.References
Context
This issue was identified during review of PR #181 and marked as out-of-scope for that PR. This issue tracks the follow-up work.