Closed tuncayyildirtanuk closed 3 hours ago
elsassph
commented
5 hours ago Not sure what validation could be done here: this is a low level library, src could be anything that makes sense for the app developer, so validation should be done at the app level.
wouterlucas
commented
3 hours ago Fetch is a native browser API. This isn't a server side nodejs program as it gets executed on the browser, not on the server. They need to run Snyk with an appropriate profile as such that you do not get these messages for a browser app.
We can't do server side forgery from within JSC/V8/spidermonkey, else this would be a bug on the respective WebKit/Chromium/Mozilla. Which it aint.
If your security folks need an educational session about browsers, the difference between SSRF on a browser or a nodejs/deno/bun program and how SSRF's really work then feel free to reach out!
Description:
Sky utilizes a static code analysis tool called Snyk to identify and manage potential security vulnerabilities. Recent scans have flagged the following security issues:
Request: Could you review and address these security vulnerabilities? Ensuring that we’re using secure, up-to-date packages and implementing recommended fixes is critical for maintaining the integrity of our codebase.
Steps to Reproduce (if applicable):
Expected Outcome: All flagged security vulnerabilities are reviewed and addressed in accordance with Snyk’s recommendations.