[PR #8012] [MERGED] [AI] Add SSRF protection to SimpleFIN bank sync integration #131659

Closed
opened 2026-06-16 00:23:04 -05:00 by GiteaMirror · 0 comments
Owner

📋 Pull Request Information

Original PR: https://github.com/actualbudget/actual/pull/8012
Author: @MatissJanis
Created: 5/31/2026
Status: Merged
Merged: 6/6/2026
Merged by: @MatissJanis

Base: masterHead: claude/simplefin-ssrf-protection-Du3JD


📝 Commits (8)

  • 0d71bff [AI] Add SSRF protection to SimpleFIN bank sync integration
  • 8d97838 [AI] Unify CORS proxy private-IP check with shared SSRF helper
  • 6faa317 [AI] Rename SimpleFIN SSRF release note to match PR number
  • e3490a9 Implement SSRF protection for SimpleFIN bank sync
  • 78d431d [AI] Allow self-hosted private SimpleFIN servers by default
  • 5afa92a Merge remote-tracking branch 'origin/master' into claude/simplefin-ssrf-protection-Du3JD
  • f36368d [AI] Re-validate SSRF rules on each SimpleFIN redirect hop
  • 1dc6913 Merge branch 'master' into claude/simplefin-ssrf-protection-Du3JD

📊 Changes

6 files changed (+326 additions, -40 deletions)

View changed files

📝 packages/sync-server/src/app-cors-proxy.js (+4 -15)
📝 packages/sync-server/src/app-cors-proxy.test.js (+0 -20)
📝 packages/sync-server/src/app-simplefin/app-simplefin.js (+36 -5)
packages/sync-server/src/util/ssrf.test.ts (+162 -0)
packages/sync-server/src/util/ssrf.ts (+118 -0)
upcoming-release-notes/8012.md (+6 -0)

📄 Description

Description

Patch a security problem w/ SimpleFIN

https://github.com/actualbudget/actual/security/advisories/GHSA-q5j6-rc55-rvqx

Testing

N/A

Checklist

  • Release notes added (see link above)
  • No obvious regressions in affected areas
  • Self-review has been performed - I understand what each change in the code does and why it is needed

🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.

## 📋 Pull Request Information **Original PR:** https://github.com/actualbudget/actual/pull/8012 **Author:** [@MatissJanis](https://github.com/MatissJanis) **Created:** 5/31/2026 **Status:** ✅ Merged **Merged:** 6/6/2026 **Merged by:** [@MatissJanis](https://github.com/MatissJanis) **Base:** `master` ← **Head:** `claude/simplefin-ssrf-protection-Du3JD` --- ### 📝 Commits (8) - [`0d71bff`](https://github.com/actualbudget/actual/commit/0d71bffb2523487916d05b9ad991d50d37dfb640) [AI] Add SSRF protection to SimpleFIN bank sync integration - [`8d97838`](https://github.com/actualbudget/actual/commit/8d978382b67fdb3e542df9bc2275af5a09c7697e) [AI] Unify CORS proxy private-IP check with shared SSRF helper - [`6faa317`](https://github.com/actualbudget/actual/commit/6faa317ac875f9a4bf1a64cb34ff909cc8abe0fd) [AI] Rename SimpleFIN SSRF release note to match PR number - [`e3490a9`](https://github.com/actualbudget/actual/commit/e3490a9f80c2fa7a40e1135123fc99bdee920d26) Implement SSRF protection for SimpleFIN bank sync - [`78d431d`](https://github.com/actualbudget/actual/commit/78d431d4f066e47fcd677cd9d6cbcafdc98c2079) [AI] Allow self-hosted private SimpleFIN servers by default - [`5afa92a`](https://github.com/actualbudget/actual/commit/5afa92a23a9d788f6c479e9e165f80d51fab4927) Merge remote-tracking branch 'origin/master' into claude/simplefin-ssrf-protection-Du3JD - [`f36368d`](https://github.com/actualbudget/actual/commit/f36368d4a287e700968c08561fd4bb84fa7d5bf6) [AI] Re-validate SSRF rules on each SimpleFIN redirect hop - [`1dc6913`](https://github.com/actualbudget/actual/commit/1dc691309822237dbb876b19aa6b9aacac5b0b13) Merge branch 'master' into claude/simplefin-ssrf-protection-Du3JD ### 📊 Changes **6 files changed** (+326 additions, -40 deletions) <details> <summary>View changed files</summary> 📝 `packages/sync-server/src/app-cors-proxy.js` (+4 -15) 📝 `packages/sync-server/src/app-cors-proxy.test.js` (+0 -20) 📝 `packages/sync-server/src/app-simplefin/app-simplefin.js` (+36 -5) ➕ `packages/sync-server/src/util/ssrf.test.ts` (+162 -0) ➕ `packages/sync-server/src/util/ssrf.ts` (+118 -0) ➕ `upcoming-release-notes/8012.md` (+6 -0) </details> ### 📄 Description <!-- Thank you for submitting a pull request! Make sure to follow the instructions to write release notes for your PR — it should only take a minute or two: https://actualbudget.org/docs/contributing/#writing-good-release-notes. Try running yarn generate:release-notes *before* pushing your PR for an interactive experience. --> ## Description <!-- What does this PR do? Why is it needed? Please give context on the "why?": why do we need this change? What problem is it solving for you?--> Patch a security problem w/ SimpleFIN ## Related issue(s) <!-- e.g. Fixes #123, Relates to #456 --> https://github.com/actualbudget/actual/security/advisories/GHSA-q5j6-rc55-rvqx ## Testing <!-- What did you test? How can we reproduce the issue you are fixing or how can we test the feature you built? --> N/A ## Checklist - [x] Release notes added (see link above) - [ ] No obvious regressions in affected areas - [x] Self-review has been performed - I understand what each change in the code does and why it is needed <!--- actual-bot-sections ---> --- <sub>🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.</sub>
GiteaMirror added the pull-request label 2026-06-16 00:23:04 -05:00
Sign in to join this conversation.
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: github-starred/actual#131659