Icm 43582 vulnerability report blind ssrf at html rewriter.fastedge.gcore.dev lead to internal port #105
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Contributor
There was a problem hiding this comment.
Pull request overview
This PR addresses a blind SSRF vulnerability (ICM-43582) by implementing host validation to prevent requests to private/internal IP addresses and ports. The changes add security checks that reject requests targeting private networks, localhost, and other restricted IP ranges.
Key changes:
- Added private IP address validation for both IPv4 and IPv6 addresses
- Implemented host validation checks in HTTP backend and service layers
- Refactored key-value store operations to improve type safety and error handling
Reviewed changes
Copilot reviewed 12 out of 13 changed files in this pull request and generated 5 comments.
Show a summary per file
| File | Description |
|---|---|
| crates/http-backend/src/lib.rs | Added is_public_host() function and comprehensive private IP detection for IPv4/IPv6 to prevent SSRF attacks |
| crates/http-service/src/state.rs | Added host validation check using is_public_host() before processing backend requests |
| crates/key-value-store/src/lib.rs | Renamed zrange to zrange_by_score and updated return type to include scores |
| crates/key-value-store/src/redis_impl.rs | Updated Redis operations to match new interface and improved error handling |
| crates/key-value-store/Cargo.toml | Upgraded Redis dependency to 0.32 with additional features for safe iterators |
| crates/runtime/src/app.rs | Added serde(default) to param field and added comprehensive tests for deserialization |
| crates/reactor/src/lib.rs | Updated WIT path from SDK submodule to local reactor wit directory |
| .gitmodules | Changed submodule from SDK to FastEdge-wit repository |
| Cargo.toml | Version bump to 0.13.2 |
| CHANGELOG.md | Added release notes for versions 0.13.1 and 0.13.2 |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
ruslanti
force-pushed
the
ICM-43582-vulnerability-report-blind-ssrf-at-html-rewriter.fastedge.gcore.dev-lead-to-internal-port
branch
from
55b5062 to
0d86c18
Compare
…package versions to 0.13.0-2
qrdl
reviewed
Dec 1, 2025
Collaborator
qrdl
left a comment
qrdl
left a comment
There was a problem hiding this comment.
Some of Copilot comments make sense, please take a look
qrdl
approved these changes
Dec 1, 2025
ruslanti
deleted the
ICM-43582-vulnerability-report-blind-ssrf-at-html-rewriter.fastedge.gcore.dev-lead-to-internal-port
branch
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
No description provided.