Closed LightYagami28 closed 3 days ago
Pls fix @fent
The link doesn't work. what's the suggested fix for this?
so the suggested fix is to not allow common internal domains such as localhost
, 127.0.0.1
, 192.....
, etc? although there could be a custom internal domain
i also looked at other http libraries like got, node-fetch, superagent, and request. only request mitigates around this by not allowing redirects for non-GET requests here
Issue Description: A potential Server-Side Request Forgery (SSRF) vulnerability was detected in the
miniget
library. The issue was identified in the fileindex.js
at line 170, where unsanitized input from the document location flows into a request.Steps to Reproduce: This vulnerability was detected using Snyk Code analysis. The code in question does not adequately validate or sanitize the input, leading to a potential SSRF risk.
Suggested Fix: It is recommended to validate the input URL, potentially by implementing a whitelist of allowed domains or by sanitizing user input before making the request.
References: