Skip to content

Add SSRF protection to logo URL fetching #648

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
Anmol1696 merged 3 commits into from
Jan 22, 2026
Merged

Add SSRF protection to logo URL fetching #648

Anmol1696 merged 3 commits into from
Jan 22, 2026

Conversation

Copy link
Contributor

Copilot AI commented Jan 22, 2026
edited
Loading

The fetchLogoAsBase64 function fetches user-controlled URLs from the database without validation, allowing potential SSRF attacks against internal services and cloud metadata endpoints.

Changes

  • Added isUrlSafeToFetch validation - Blocks non-HTTP/HTTPS protocols, localhost, private IPv4 ranges (10.x, 172.16-31.x, 192.168.x, 169.254.x, 127.x), and private IPv6 addresses (::1, fe80:, fc00:, fd00:)
  • Integrated validation before fetch - Returns undefined for unsafe URLs, causing emails to render without logos rather than exposing internal resources
  • Added warning logs - Records blocked URLs with context for security monitoring
const fetchLogoAsBase64 = async (url: string | undefined): Promise<string | undefined> => {
  if (!url) return undefined;

  // Validate URL to prevent SSRF attacks
  if (!isUrlSafeToFetch(url)) {
    logger.warn('Blocked unsafe URL for logo fetch', { url });
    return undefined;
  }

  // ... rest of fetch logic
};

💡 You can make Copilot smarter by setting up custom instructions, customizing its development environment and configuring Model Context Protocol (MCP) servers. Learn more Copilot coding agent tips in the docs.

Copilot AI mentioned this pull request Jan 22, 2026
Draft
Copilot AI and others added 2 commits January 22, 2026 13:16
@Anmol1696
Add SSRF protection to logo fetching function
d4319d5 
- Add isUrlSafeToFetch validation function that checks:
  - Only allows HTTP/HTTPS protocols
  - Blocks localhost and local hostnames
  - Blocks private IPv4 ranges (10.x, 172.16-31.x, 192.168.x, 169.254.x, 127.x)
  - Blocks private IPv6 addresses (::1, fe80:, fc00:, fd00:)
- Integrate URL validation into fetchLogoAsBase64 before fetching
- Return undefined for unsafe URLs instead of attempting fetch
- Add warning logs for blocked URLs
- Fix unused error variables in catch blocks

Co-authored-by: Anmol1696 <10805402+Anmol1696@users.noreply.github.com>
@Anmol1696
Clarify regex comment for 172.16.0.0/12 range
0925371 
Co-authored-by: Anmol1696 <10805402+Anmol1696@users.noreply.github.com>
Copilot AI changed the title [WIP] Fix base64 logo implementation in email Add SSRF protection to logo URL fetching Jan 22, 2026
Copilot AI requested a review from Anmol1696 January 22, 2026 13:20
@Anmol1696 Anmol1696 marked this pull request as ready for review January 22, 2026 13:35
@Anmol1696 Anmol1696 merged commit 1290cef into anmol/inline-logo Jan 22, 2026
@Anmol1696 Anmol1696 deleted the copilot/sub-pr-646 branch January 22, 2026 13:35
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@Anmol1696 Anmol1696 Awaiting requested review from Anmol1696

Assignees

@Anmol1696 Anmol1696

Copilot code review Copilot

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@Anmol1696