SSRF via first-party proxy -- no target domain allowlist

## Summary

The `/first-party/proxy` endpoint proxies to arbitrary URLs (protected only by `tstoken` signature). `proxy_with_redirects` follows up to 4 redirects with no domain or IP range restriction, allowing SSRF to internal services if a signed URL redirects.

## Refs

- `crates/common/src/proxy.rs` lines 600-621 — `handle_first_party_proxy`
- `crates/common/src/proxy.rs` lines 463-582 — `proxy_with_redirects` follows redirects

## Recommendation

Validate redirect targets against an allowlist or block private IP ranges.

## Context

Production readiness audit — see #396

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

SSRF via first-party proxy -- no target domain allowlist #414

Summary

Refs

Recommendation

Context

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

SSRF via first-party proxy -- no target domain allowlist #414

Description

Summary

Refs

Recommendation

Context

Metadata

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Issue actions