You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Address review: constrain artifact fetches to the allowlist
Security fixes for the well-known source's fetch path:
- B1 (SSRF / allowlist bypass): validate every fetched URL — index, each
entry's artifact url, and redirect targets — against the origin allowlist
and scheme rules via new assertUrlAllowed(). Previously only the configured
index origin was gated, so an allowlisted-but-malicious publisher could
point an artifact url at an internal host or off-allowlist CDN. Artifact
origins (incl. CDNs) must now be on WELL_KNOWN_ALLOWED_ORIGINS.
- B2 (silent off-origin redirects): fetch now uses redirect:"manual" and
follows hops itself, re-validating each Location (max 5) so a 3xx can't
escape the allowlist after the initial check.
- N1: the polling update-check now reads the index body through the same
size-capped reader instead of an unbounded arrayBuffer().
- N5: WELL_KNOWN_MAX_*_MB=0 (a 0-byte cap) now falls back to the default
instead of failing every fetch.
- N2/N3: clarifying comments on the tar header-size trust and the zip
symlink-attribute fallback (documented as non-escape).
Tests: assertUrlAllowed unit cases (off-origin, scheme, http-gate) plus sync
integration tests for cross-origin artifact rejection, off-allowlist redirect
rejection, and a followed same-origin redirect. Full suite 225 green.
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
0 commit comments