add SSRF notice

b541623c · timothycarambat · 6bb537da · b541623c
Commit b541623c authored 8 months ago by timothycarambat
--- a/collector/utils/url/index.js
+++ b/collector/utils/url/index.js
+/**  ATTN: SECURITY RESEARCHERS
+ * To Security researchers about to submit an SSRF report CVE - please don't.
+ * We are aware that the code below is does not defend against any of the thousands of ways
+ * you can map a hostname to another IP. The code below does not have intention of blocking this
+ * and is simply to prevent the user from accidentally putting in non-valid websites, which is all this protects
+ * since _all urls must be submitted by the user anyway_ and cannot be done with authentication and manager or admin roles.
+ * If an attacker has those roles then the system is already vulnerable and this is not a primary concern.
+ * 
+ * We have gotten this report may times, marked them as duplicate or information and continue to get them. We communicate
+ * already that deployment (and security) of an instance is on the deployer and system admin deploying it. This would include
+ * isolation, firewalls, and the general security of the instance.
+*/
+
 const VALID_PROTOCOLS = ["https:", "http:"];
 const INVALID_OCTETS = [192, 172, 10, 127];

@@ -19,7 +32,7 @@ function validURL(url) {
    if (!VALID_PROTOCOLS.includes(destination.protocol)) return false;
    if (isInvalidIp(destination)) return false;
    return true;
-  } catch {}
+  } catch { }
  return false;
 }