Releases: cboxdk/laravel-ssrf
Releases · cboxdk/laravel-ssrf
Release list
v1.0.1
Support Laravel 12 and 13. v1.0.0 was pinned to illuminate/* ^12.0, which prevented installation on Laravel 13 apps. Constraints widened (illuminate ^12||^13, symfony/http-foundation ^7||^8, testbench ^10||^11, pest ^3.5||^4.0); CI now matrixes over both Laravel majors. No behavior change.
v1.0.0
Initial release of cboxdk/laravel-ssrf — a hardened, config-driven SSRF guard for outbound URLs in Laravel.
Highlights:
- Resolves both A and AAAA; blocks every private/reserved/cloud-metadata address.
- DNS-rebinding defence: resolve once, pin via CURLOPT_RESOLVE (TLS-safe), verify the connected IP, disable redirects.
- IPv6 transition forms (6to4, NAT64, Teredo, IPv4-mapped) blocked wholesale and embedded IPv4 re-checked (CVE-2026-48736 class).
- Http::ssrf() macro, PublicUrl validation rule, browser-redirect mode, FakeResolver test seam.
- Honest scope: network egress control is the complete fix.
CI is green (Pint, PHPStan max, 25 tests against real vectors, composer audit, license check, CycloneDX SBOM, TruffleHog secret scan, Semgrep SAST).