mirror of
https://github.com/actualbudget/actual.git
synced 2026-03-22 00:13:45 -05:00
505291d954
Add comprehensive SSRF protection to SimpleFIN endpoints and harden the CORS proxy with consistent validation: - Create shared validate-url.ts utility with DNS-aware IP validation, TOCTOU-safe DNS pinning, and pinned HTTP fetch - Validate all SimpleFIN URLs (getAccessKey, getAccounts) against private/internal IP ranges including IPv4-mapped IPv6 - Replace naive fetch() calls with pinned DNS agents that prevent DNS rebinding between validation and request time - Add manual redirect loops with per-hop SSRF validation and cross-origin credential stripping - Enforce HTTPS protocol, request timeouts, and header hygiene - Restrict SimpleFIN access key hosts to simplefin.com/simplefin.org - Apply same IP-pinning and redirect validation to CORS proxy https://claude.ai/code/session_0122tzRmFfs3ieXaTK7msUhw
140 B
140 B
category, authors
| category | authors | |
|---|---|---|
| Bugfix |
|
Add URL validation to block requests to private IP addresses, enhancing security measures.