🎯 fix: Actions Allowed Domains Handling (#11215)

* 🔧 fix: Update domain handling in ActionsInput components for SSRF validation

- Refactored domain extraction logic in ActionsInput components to include protocol in the domain metadata for proper SSRF validation.
- Ensured that the domain is constructed as `${parsedUrl.protocol}//${parsedUrl.hostname}` to enhance security and prevent potential vulnerabilities.

This change improves the handling of user-provided domains and aligns with best practices for security in URL processing.

* 🔧 fix: Include missing `actions` field in AppService configuration
This commit is contained in:
Danny Avila 2026-01-05 14:58:26 -05:00 committed by GitHub
parent e343180740
commit 019c59f10e
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
4 changed files with 18 additions and 19 deletions

View file

@ -698,9 +698,9 @@ export function validateActionDomain(
if (clientHasProtocol) {
normalizedClientDomain = extractDomainFromUrl(clientProvidedDomain);
} else {
// IP addresses inherit protocol from spec, domains default to https
// No protocol specified by client
if (isIPAddress) {
// IPv6 addresses need brackets in URLs
// IPs inherit protocol from spec (for legitimate internal services)
const ipVersion = isIP(normalizedClientHostname);
const hostname =
ipVersion === 6 && !clientHostname.startsWith('[')
@ -708,6 +708,7 @@ export function validateActionDomain(
: clientHostname;
normalizedClientDomain = `${specUrl.protocol}//${hostname}`;
} else {
// Domain names default to HTTPS for security (forces explicit protocol)
normalizedClientDomain = `https://${clientHostname}`;
}
}