From fcb115cfbacfc4aea2f67e099a14435b996a3a10 Mon Sep 17 00:00:00 2001 From: ngaturjiwo77-hue Date: Fri, 24 Apr 2026 02:44:41 +0700 Subject: [PATCH] Security: Disable automatic redirects to prevent SSRF --- .../common/net/http/javanet/DefaultConnectionFactory.java | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/common/src/main/java/com/google/tsunami/common/net/http/javanet/DefaultConnectionFactory.java b/common/src/main/java/com/google/tsunami/common/net/http/javanet/DefaultConnectionFactory.java index 07bb3e048..7299f08e6 100644 --- a/common/src/main/java/com/google/tsunami/common/net/http/javanet/DefaultConnectionFactory.java +++ b/common/src/main/java/com/google/tsunami/common/net/http/javanet/DefaultConnectionFactory.java @@ -48,6 +48,10 @@ public DefaultConnectionFactory( @Override public HttpURLConnection openConnection(String url) throws IOException { HttpURLConnection connection = (HttpURLConnection) new URL(url).openConnection(); + + // Prevent blind SSRF by disabling automatic redirects + connection.setInstanceFollowRedirects(false); + connection.setConnectTimeout((int) connectTimeout.toMillis()); connection.setReadTimeout((int) readTimeout.toMillis());