You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Server-Side Request Forgery (SSRF) in Remote Macro + Forge-Fetch-Client.
A user can query http://localhost and http://127.0.0.1 and could potentially fetch data from internal hostnames/services.
Acceptance Criteria
🟠 This should be globally fixed by Atlassian in the Forge fetch Client! But for now we do:
✅ only allow https:// and http://, block all other protocols
Bug
Server-Side Request Forgery (SSRF) in Remote Macro + Forge-Fetch-Client.
A user can query http://localhost and http://127.0.0.1 and could potentially fetch data from internal hostnames/services.
Acceptance Criteria
https://
andhttp://
, block all other protocolshttp[s]://127.0.0.1*
(ipv4)http[s]://localhost*
(ipv4+6)http[s]://[::1]*
(ipv6)172.16.0.0/16
,10.0.0.0/8
,169.254.169.254
Notes
Error Messages displayed like this:
1️⃣ Disallowed redirect
2️⃣ Blocklisted IP or Domain
The text was updated successfully, but these errors were encountered: