fix(security): fixed SSRF vulnerability

[waleedlatif1]

Summary

fixed SSRF vulnerability #960

Type of Change

• Other: Security

Testing

Tested manually and ensured that all legitimate API routes can still be called.

Checklist

• Code follows project style guidelines
• Self-reviewed my changes
• Tests added/updated and passing
• No new warnings introduced
• I confirm that I have read and agree to the terms outlined in the Contributor License Agreement (CLA)

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Preview	Comments	Updated (UTC)
sim	Building	Preview	Comment	Aug 27, 2025 6:11am

1 Skipped Deployment

Project	Deployment	Preview	Comments	Updated (UTC)
docs	Skipped			Aug 27, 2025 6:11am

[greptile-apps]

Greptile Summary

This PR addresses a critical Server-Side Request Forgery (SSRF) vulnerability (#960) by implementing comprehensive URL validation across the application's proxy endpoints. The fix introduces a centralized security module (url-validation.ts) that prevents malicious requests to internal networks, localhost, cloud metadata endpoints, and dangerous protocols while preserving legitimate external API functionality.

The security implementation follows a defense-in-depth approach by blocking private IP ranges (RFC 1918), loopback addresses, link-local addresses, and dangerous protocols (file://, ftp://, etc.). It includes protection against URL encoding bypass attempts through recursive validation and provides detailed security logging for monitoring potential attacks.

The changes span four key files:

• A new security validation module that centralizes URL validation logic
• Updates to the main proxy endpoint (/api/proxy/route.ts) to validate URLs before proxying requests
• Updates to the image proxy endpoint (/api/proxy/image/route.ts) with image-specific validation
• Comprehensive test coverage validating both security measures and legitimate API functionality

The fix maintains backward compatibility by allowing all legitimate external APIs (OpenAI, GitHub, Microsoft, etc.) to continue functioning while blocking internal network access, cloud metadata endpoints, and file system access attempts.

Confidence score: 5/5

• This PR is extremely safe to merge as it addresses a critical security vulnerability with comprehensive protection measures
• Score reflects thorough security implementation with extensive test coverage and preservation of legitimate functionality
• No files require special attention as the implementation follows security best practices with proper validation and error handling

_{4 files reviewed, 2 comments}

_{Edit Code Review Bot Settings | Greptile}