You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Scheme/host-presence validation alone did not satisfy CodeQL go/request-forgery;
the established repo barrier (validateRegistryURL) is a host equality guard. Pin
the beacon destination to the built-in telemetry host or a loopback address
(tests/local dev) and reject anything else before issuing the request. This both
clears the alert and genuinely hardens the path — the anonymous ID can only ever
reach the official endpoint or localhost, never an arbitrary host from a
malformed/hostile telemetry.endpoint value (documented as a testing override).
Related #MCP-2482
0 commit comments