Skip to content

Added checks to prevent SSRF and used pinned url. Also removed appVersion for docsum, chatqna-core #1518

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
Supriya-Krishnamurthi wants to merge 7 commits into
base: release-2025.2.0
Choose a base branch
from
Open

Added checks to prevent SSRF and used pinned url. Also removed appVersion for docsum, chatqna-core #1518

Supriya-Krishnamurthi wants to merge 7 commits into from

Conversation

@Supriya-Krishnamurthi
Copy link
Contributor

@Supriya-Krishnamurthi Supriya-Krishnamurthi commented Dec 5, 2025

Added checks to prevent SSRF and used pinned url. Also removed appVersion for docsum, chatqna-core

Description
Added few checks to prevent SSRF

DNS rebinding Avoided: Instead of directly using the user provided url, we validate it, resolve to ip address and use it instead of url with hostname as shown in example below

Example:

Resolve Hostname:

Input URL: https://malicious.com/
Resolved IP: 203.0.113.45 (public IP)

Validate Resolved IP:

Confirm 203.0.113.45 is a public IP.

Pin URL to Resolved IP:

Pinned URL: https://203.0.113.45/
Hostname malicious.com is preserved in the Host header.

DNS Rebinding Attempt:

Attacker changes malicious.com to resolve to 192.168.1.100 (private IP).

Prevent Rebinding:

HTTP request is sent to the pinned IP 203.0.113.45, ignoring the re-resolved private IP.
DNS rebinding attack is mitigated.

Fixes # https://github.com/open-edge-platform/edge-ai-libraries/security/code-scanning/1624
https://jira.devtools.intel.com/browse/ITEP-82266

Any Newly Introduced Dependencies
Please describe any newly introduced 3rd party dependencies in this change. List their name, license information and how they are used in the project.

How Has This Been Tested?
Please describe the tests that you ran to verify your changes. Provide instructions so we can reproduce. Please also list any relevant details for your test configuration

Checklist:
I agree to use the APACHE-2.0 license for my code changes.
I have not introduced any 3rd party components incompatible with APACHE-2.0.
I have not included any company confidential information, trade secret, password or security token.
I have performed a self-review of my code.

@Supriya-Krishnamurthi Supriya-Krishnamurthi marked this pull request as ready for review December 5, 2025 14:00
@Supriya-Krishnamurthi Supriya-Krishnamurthi marked this pull request as draft December 5, 2025 14:03
@Supriya-Krishnamurthi Supriya-Krishnamurthi marked this pull request as ready for review December 5, 2025 18:10
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@bharagha bharagha bharagha approved these changes

@hteeyeoh hteeyeoh hteeyeoh approved these changes

@yogeshmpandey yogeshmpandey Awaiting requested review from yogeshmpandey yogeshmpandey is a code owner

@madhuri-rai07 madhuri-rai07 Awaiting requested review from madhuri-rai07 madhuri-rai07 is a code owner

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@Supriya-Krishnamurthi @bharagha @hteeyeoh