[AC-52] Server-Side Request Forgery (SSRF) in Remote Macro + Forge-Fetch-Client

[clouless]

Bug

Server-Side Request Forgery (SSRF) in Remote Macro + Forge-Fetch-Client.
A user can query http://localhost and http://127.0.0.1 and could potentially fetch data from internal hostnames/services.

Acceptance Criteria

• 🟠 This should be globally fixed by Atlassian in the Forge fetch Client! But for now we do:
• ✅ only allow https:// and http://, block all other protocols
• ✅ block http[s]://127.0.0.1* (ipv4)
• ✅ block http[s]://localhost* (ipv4+6)
• ✅ block http[s]://[::1]* (ipv6)
• ✅ disable follow redirects
• ✅ block internal Atlassian IPs: 172.16.0.0/16, 10.0.0.0/8, 169.254.169.254
• ✅ implement DNS resolver to block any hostnames pointing to localhost (ipv4+ipv6)
  • ✅ We are using "DNS over HTTPS" from Google.
  • ✅ We have updated the Privacy Policy to include "DNS over HTTPS" section => https://codeclou.io/legal/en/privacy/atlassian/advanced-codeblocks-for-confluence/

Notes

Error Messages displayed like this:

1️⃣ Disallowed redirect

2️⃣ Blocklisted IP or Domain

[clouless]

Released to the Atlassian Marketplace today