Skip to content

fix: Server-Side Request Forgery (SSRF) in Instagram auth adapter #9988

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
mtrezza merged 1 commit into from
Dec 16, 2025
Merged

fix: Server-Side Request Forgery (SSRF) in Instagram auth adapter #9988

mtrezza merged 1 commit into from
Dec 16, 2025
+26 −2

Conversation

@mtrezza
Copy link
Member

@mtrezza mtrezza commented Dec 16, 2025
edited
Loading

Fixes security vulnerability GHSA-3f5f-xgrj-97pf

Summary by CodeRabbit

  • Bug Fixes

    • Instagram authentication now consistently uses the official Graph API endpoint, preventing potential endpoint misconfigurations.

  • Tests

    • Added test coverage for Instagram authentication endpoint handling.

✏️ Tip: You can customize this high-level summary in your review settings.

@parse-github-assistant
Copy link

parse-github-assistant bot commented Dec 16, 2025

I will reformat the title to use the proper commit message syntax.

@parse-github-assistant parse-github-assistant bot changed the title fix: insta auth fix: Insta auth Dec 16, 2025
@parse-github-assistant
Copy link

parse-github-assistant bot commented Dec 16, 2025
edited
Loading

🚀 Thanks for opening this pull request!

@parseplatformorg
Copy link
Contributor

parseplatformorg commented Dec 16, 2025

Snyk checks have passed. No issues have been found so far.

Status Scanner Critical High Medium Low Total (0)
Open Source Security 0 0 0 0 0 issues

💻 Catch issues earlier using the plugins for VS Code, JetBrains IDEs, Visual Studio, and Eclipse.

@coderabbitai
Copy link

coderabbitai bot commented Dec 16, 2025
edited
Loading

📝 Walkthrough

Walkthrough

The changes hardcode the Instagram Graph API endpoint to https://graph.instagram.com/ in the getUserFromAccessToken method, removing support for client-provided API URL overrides. A new test case verifies this endpoint enforcement behavior.

Changes

Cohort / File(s) Summary
Instagram Graph API endpoint hardcoding
src/Adapters/Auth/instagram.js, spec/Adapters/Auth/instagram.spec.js		 Production code changes getUserFromAccessToken to hardcode the Graph API URL instead of accepting configurable overrides via authData.apiURL. Test adds a case validating that client-provided apiURL values are ignored in favor of the fixed endpoint.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

  • Verify the hardcoded URL (https://graph.instagram.com/) is the correct official endpoint
  • Check for other code paths or tests that may depend on the removed apiURL configurability
  • Confirm no breaking changes for existing integrations that previously relied on URL overrides

Pre-merge checks and finishing touches

❌ Failed checks (1 warning)
Check name Status Explanation Resolution
Description check ⚠️ Warning No pull request description was provided; the required template sections including Issue, Approach, and Tasks are entirely missing. Add a complete PR description following the template: include the issue link under 'Issue', explain the changes under 'Approach', and mark relevant tasks completed under 'Tasks'.
✅ Passed checks (2 passed)
Check name Status Explanation
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Title check ✅ Passed The title accurately describes the main security fix in the changeset—hardcoding the Instagram Graph API endpoint to prevent SSRF attacks.
✨ Finishing touches
  • 📝 Generate docstrings
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Post copyable unit tests in a comment

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands and usage tips.

@codecov
Copy link

codecov bot commented Dec 16, 2025
edited
Loading

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 92.53%. Comparing base (a23b192) to head (dd2038a).
⚠️ Report is 9 commits behind head on alpha.

Additional details and impacted files 
@@            Coverage Diff             @@
##            alpha    #9988      +/-   ##
==========================================
- Coverage   92.53%   92.53%   -0.01%     
==========================================
  Files         190      190              
  Lines       15471    15470       -1     
  Branches      176      176              
==========================================
- Hits        14316    14315       -1     
  Misses       1143     1143              
  Partials       12       12

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
  • 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

@mtrezza mtrezza changed the title fix: Insta auth fix: Server-Side Request Forgery (SSRF) in Instagram auth adapter Dec 16, 2025
@mtrezza mtrezza merged commit fbcc938 into parse-community:alpha Dec 16, 2025
23 checks passed
parseplatformorg pushed a commit that referenced this pull request Dec 16, 2025
@semantic-release-bot
chore(release): 9.1.1-alpha.1 [skip ci]
3d395b3 
## [9.1.1-alpha.1](9.1.0...9.1.1-alpha.1) (2025-12-16)

### Bug Fixes

* Server-Side Request Forgery (SSRF) in Instagram auth adapter [GHSA-3f5f-xgrj-97pf](https://github.com/parse-community/parse-server/security/advisories/GHSA-3f5f-xgrj-97pf) ([#9988](#9988)) ([fbcc938](fbcc938))
@parseplatformorg
Copy link
Contributor

parseplatformorg commented Dec 16, 2025

🎉 This change has been released in version 9.1.1-alpha.1

@parseplatformorg parseplatformorg added the state:released-alpha Released as alpha version label Dec 16, 2025
parseplatformorg pushed a commit that referenced this pull request Dec 16, 2025
@semantic-release-bot
chore(release): 9.1.1 [skip ci]
b3725fa 
## [9.1.1](9.1.0...9.1.1) (2025-12-16)

### Bug Fixes

* Server-Side Request Forgery (SSRF) in Instagram auth adapter [GHSA-3f5f-xgrj-97pf](https://github.com/parse-community/parse-server/security/advisories/GHSA-3f5f-xgrj-97pf) ([#9988](#9988)) ([fbcc938](fbcc938))
@parseplatformorg
Copy link
Contributor

parseplatformorg commented Dec 16, 2025

🎉 This change has been released in version 9.1.1

@parseplatformorg parseplatformorg added the state:released Released as stable version label Dec 16, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@coderabbitai coderabbitai[bot] coderabbitai[bot] approved these changes

Assignees

No one assigned

Labels

state:released Released as stable version state:released-alpha Released as alpha version

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@mtrezza @parseplatformorg