Skip to content

fix: [IDE-1679] validate API URL hostname#522

Open
ShawkyZ wants to merge 7 commits intomainfrom
fix/IDE-1679-api-url-validation
Open

fix: [IDE-1679] validate API URL hostname#522
ShawkyZ wants to merge 7 commits intomainfrom
fix/IDE-1679-api-url-validation

Conversation

@ShawkyZ
Copy link
Copy Markdown
Contributor

@ShawkyZ ShawkyZ commented Jan 13, 2026
edited
Loading

Validate API URL and Request URL against snyk.io or snykgov.io hostnames

@ShawkyZ ShawkyZ requested review from a team as code owners January 13, 2026 13:50
@snyk-io
Copy link
Copy Markdown

snyk-io bot commented Jan 13, 2026
edited
Loading

Snyk checks have passed. No issues have been found so far.

Status Scanner Critical High Medium Low Total (0)
Open Source Security 0 0 0 0 0 issues
Licenses 0 0 0 0 0 issues
Code Security 0 0 0 0 0 issues

💻 Catch issues earlier using the plugins for VS Code, JetBrains IDEs, Visual Studio, and Eclipse.

@snyk-io
Copy link
Copy Markdown

snyk-io bot commented Jan 13, 2026
edited
Loading

Snyk checks have passed. No issues have been found so far.

Status Scanner Critical High Medium Low Total (0)
Open Source Security 0 0 0 0 0 issues
Licenses 0 0 0 0 0 issues
Code Security 0 0 0 0 0 issues

💻 Catch issues earlier using the plugins for VS Code, JetBrains IDEs, Visual Studio, and Eclipse.

acke
acke reviewed Jan 13, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

@acke acke left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Must make unit tests pass before merge

PeterSchafer
PeterSchafer reviewed Jan 13, 2026
View reviewed changes
PeterSchafer
PeterSchafer reviewed Jan 13, 2026
View reviewed changes
PeterSchafer
PeterSchafer reviewed Jan 13, 2026
View reviewed changes
@ShawkyZ ShawkyZ marked this pull request as draft January 13, 2026 14:30
@ShawkyZ ShawkyZ changed the title fix: validate API URL hostname fix: [IDE-1679] validate API URL hostname Jan 13, 2026
@gitguardian
Copy link
Copy Markdown

gitguardian bot commented Jan 16, 2026
edited
Loading

️✅ There are no secrets present in this pull request anymore.

If these secrets were true positive and are still valid, we highly recommend you to revoke them.
While these secrets were previously flagged, we no longer have a reference to the
specific commits where they were detected. Once a secret has been leaked into a git
repository, you should consider it compromised, even if it was deleted immediately.
Find here more information about risks.

🦉 GitGuardian detects secrets in your source code to help developers and security teams secure the modern development process. You are seeing this because you or someone else with access to this repository has authorized GitGuardian to scan your pull request.

@ShawkyZ ShawkyZ closed this Jan 16, 2026
@ShawkyZ ShawkyZ reopened this Jan 16, 2026
ShawkyZ
ShawkyZ commented Jan 19, 2026
View reviewed changes
@ShawkyZ ShawkyZ marked this pull request as ready for review January 19, 2026 17:27
bastiandoetsch
bastiandoetsch reviewed Jan 20, 2026
View reviewed changes
pkg/app/app.go
logger.Warn().Err(err).Str(configuration.API_URL, urlString).Msg("failed to get api url")
}

if isValid, validationErr := auth.IsValidAuthHost(apiString, config.GetString(auth.CONFIG_KEY_ALLOWED_HOST_REGEXP)); !isValid || validationErr != nil {
Copy link
Copy Markdown
Contributor

@bastiandoetsch bastiandoetsch Jan 20, 2026
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

nitpick: is a bit hard to understand.

bastiandoetsch
bastiandoetsch reviewed Jan 20, 2026
View reviewed changes
ShawkyZ
ShawkyZ commented Jan 21, 2026
View reviewed changes
PeterSchafer
PeterSchafer reviewed Jan 21, 2026
View reviewed changes
PeterSchafer
PeterSchafer reviewed Jan 21, 2026
View reviewed changes
@ShawkyZ ShawkyZ force-pushed the fix/IDE-1679-api-url-validation branch from 882b183 to 96d4ae4 Compare January 22, 2026 11:34
PeterSchafer
PeterSchafer reviewed Jan 22, 2026
View reviewed changes
internal/api/urls_test.go
{"http://localhost:8080", true},
{"https://127.0.0.1:9000", true},
{"http://stella:8000", true},
{"192.168.1.1", false},
Copy link
Copy Markdown
Contributor

@PeterSchafer PeterSchafer Jan 22, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Issue: This is a breaking change.

Copy link
Copy Markdown
Contributor Author

@ShawkyZ ShawkyZ Jan 22, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Fair,
Is there a reason why this is allowed ? Or just legacy reasons?

Copy link
Copy Markdown
Contributor

@PeterSchafer PeterSchafer Jan 22, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

So far there have been no restrictions on what API URLs users set. Technically this used for dev and test environments. Introducing a breaking change around the API URL has potentially high impact and needs to be explicitly decided and communicated.

PeterSchafer
PeterSchafer requested changes Jan 22, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

@PeterSchafer PeterSchafer left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Just to avoid accidental merging.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@acke acke acke left review comments

@PeterSchafer PeterSchafer PeterSchafer requested changes

@bastiandoetsch bastiandoetsch bastiandoetsch approved these changes

Requested changes must be addressed to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@ShawkyZ @acke @bastiandoetsch @PeterSchafer