kodustech · Wellington01 · Feb 11, 2026 · Feb 10, 2026
diff --git a/package.json b/package.json
@@ -37,8 +37,8 @@
         "@tanstack/react-table": "^8.21.3",
         "@tanstack/react-virtual": "^3.13.18",
         "@tiptap/core": "^3.17.1",
-        "@tiptap/extension-placeholder": "^3.17.1",
         "@tiptap/extension-code-block": "^3.17.1",
+        "@tiptap/extension-placeholder": "^3.17.1",
         "@tiptap/extensions": "^3.17.1",
         "@tiptap/pm": "^3.17.1",
         "@tiptap/react": "^3.17.1",
@@ -73,6 +73,7 @@
         "react-select": "^5.10.2",
         "react-sortablejs": "^6.1.4",
         "react-syntax-highlighter": "^16.1.0",
+        "request-filtering-agent": "^3.2.0",
         "seed-color": "^2.0.1",
         "sortablejs": "^1.15.6",
         "tailwind-merge": "3.4.0",

diff --git a/src/core/utils/permissions.ts b/src/core/utils/permissions.ts
@@ -78,9 +78,9 @@ const canAccessRoute = ({
 
         const createRoutePattern = (route: string): string => {
             return route
-                .replace(/[.*+?^${}()|[]\]/g, "\$&")
-                .replace(/:teamId/g, "[\w-]+")
-                .replace(/:[a-zA-Z]+/g, "[\w-]+");
+                .replace(/[.*+?^${}()|[\]\\]/g, "\\$&")
+                .replace(/:teamId/g, "[\\w-]+")
+                .replace(/:[a-zA-Z]+/g, "[\\w-]+");
         };
 
         const pattern = createRoutePattern(route);

diff --git a/src/features/ee/sso/_components/metadata.tsx b/src/features/ee/sso/_components/metadata.tsx
@@ -1,6 +1,8 @@
 "use server";
 
+import axios from "axios";
 import { MetadataReader } from "passport-saml-metadata";
+import { useAgent } from "request-filtering-agent";
 
 export async function parseMetadataFromFile(fileContent: string) {
     try {
@@ -23,20 +25,27 @@
 
     try {
         const parsedUrl = new URL(url);
-        console.log(parsedUrl);
         if (
             !["http:", "http", "https:", "https"].includes(parsedUrl.protocol)
         ) {
             throw new Error("URL must use http or https protocol");
         }
 
-        const response = await fetch(url);
+        const response = await axios.get(url, {
+            httpAgent: useAgent(url),
+            httpsAgent: useAgent(url),
+            responseType: "text",
+            transitional: {
+                silentJSONParsing: false,
+                forcedJSONParsing: false,
+            },
+        });
@@ -31,6 +31,15 @@
            throw new Error("URL must use http or https protocol");
        }
+        const hostname = parsedUrl.hostname.toLowerCase();
+
+        // Basic SSRF guardrails: reject obvious local hosts. Adapt this logic
+        // to your environment (for example, by enforcing an explicit allow-list).
+        const disallowedHosts = new Set(["localhost", "127.0.0.1", "::1"]);
+        if (disallowedHosts.has(hostname)) {
+            throw new Error("URL hostname is not allowed");
+        }
+
        const response = await axios.get(url, {
            httpAgent: useAgent(url),
            httpsAgent: useAgent(url),
@@ -31,6 +31,15 @@
            throw new Error("URL must use http or https protocol");
        }

+        const hostname = parsedUrl.hostname.toLowerCase();
+
+        // Basic SSRF guardrails: reject obvious local hosts. Adapt this logic
+        // to your environment (for example, by enforcing an explicit allow-list).
+        const disallowedHosts = new Set(["localhost", "127.0.0.1", "::1"]);
+        if (disallowedHosts.has(hostname)) {
+            throw new Error("URL hostname is not allowed");
+        }
+
        const response = await axios.get(url, {
            httpAgent: useAgent(url),
            httpsAgent: useAgent(url),
 
-        if (!response.ok) {
+        if (response.status < 200 || response.status >= 300) {
             throw new Error(`Failed to fetch metadata: ${response.statusText}`);
         }
 
-        const rawMetadata = await response.text();
+        const rawMetadata = (await response.data) as string;
         return await parseMetadataFromFile(rawMetadata);
     } catch (error) {
         console.error("Metadata fetch error:", error);

diff --git a/yarn.lock b/yarn.lock
@@ -3772,6 +3772,11 @@ internal-slot@^1.1.0:
   resolved "https://registry.npmjs.org/internmap/-/internmap-2.0.3.tgz#6685f23755e43c524e251d29cbc97248e3061009"
   integrity sha512-5Hh7Y1wQbvY5ooGgPbDaL5iYLAPzMTUrjMulskHLH6wnv/A+1q5rgEaiuqEjB+oxGXIVZs1FF+R/KPN3ZSQYYg==
 
+ipaddr.js@^2.1.0:
+  version "2.3.0"
+  resolved "https://registry.yarnpkg.com/ipaddr.js/-/ipaddr.js-2.3.0.tgz#71dce70e1398122208996d1c22f2ba46a24b1abc"
+  integrity sha512-Zv/pA+ciVFbCSBBjGfaKUya/CcGmUHzTydLMaTwrUUEM2DIEO3iZvueGxmacvmN50fGpGVKeTXpb2LcYQxeVdg==
+
 is-alphabetical@^2.0.0:
   version "2.0.1"
   resolved "https://registry.npmjs.org/is-alphabetical/-/is-alphabetical-2.0.1.tgz#01072053ea7c1036df3c7d19a6daaec7f19e789b"
@@ -5075,6 +5080,13 @@ regexp.prototype.flags@^1.5.3, regexp.prototype.flags@^1.5.4:
     gopd "^1.2.0"
     set-function-name "^2.0.2"
 
+request-filtering-agent@^3.2.0:
+  version "3.2.0"
+  resolved "https://registry.yarnpkg.com/request-filtering-agent/-/request-filtering-agent-3.2.0.tgz#4b42c95624a88080454282e6df0cb8e41a2ae365"
+  integrity sha512-tKPrKdsmTFuGG1/pBEpzTB66mDZ2lZLW8kjW4N6jj4QjnxUTKrIfv5p2zuJRfztOos86jRPD41lRaGjh+1QqDw==
+  dependencies:
+    ipaddr.js "^2.1.0"
+
 resolve-from@^4.0.0:
   version "4.0.0"
   resolved "https://registry.npmjs.org/resolve-from/-/resolve-from-4.0.0.tgz#4abcd852ad32dd7baabfe9b40e00a36db5f392e6"