Danny Avila 1312cd757c 🛡️ fix: Validate User-provided URLs for Web Search (#12247) ... * 🛡️ fix: SSRF-validate user-provided URLs in web search auth User-controlled URL fields (jinaApiUrl, firecrawlApiUrl, searxngInstanceUrl) flow from plugin auth into outbound HTTP requests without validation. Reuse existing isSSRFTarget/resolveHostnameSSRF to block private/internal targets while preserving admin-configured (env var) internal URLs. * 🛡️ fix: Harden web search SSRF validation - Reject non-HTTP(S) schemes (file://, ftp://, etc.) in isSSRFUrl - Conditional write: only assign to authResult after SSRF check passes - Move isUserProvided tracking after SSRF gate to avoid false positives - Add authenticated assertions for optional-field SSRF blocks in tests - Add file:// scheme rejection test - Wrap process.env mutation in try/finally guard - Add JSDoc + sync-obligation comment on WEB_SEARCH_URL_KEYS * 🛡️ fix: Correct auth-type reporting for SSRF-stripped optional URLs SSRF-stripped optional URL fields no longer pollute isUserProvided. Track whether the field actually contributed to authResult before crediting it as user-provided, so categories report SYSTEM_DEFINED when all surviving values match env vars.		2026-03-15 18:05:08 -04:00
..
api	🛡️ fix: Validate User-provided URLs for Web Search (#12247)	2026-03-15 18:05:08 -04:00
client	✨ v0.8.3 (#12161)	2026-03-09 15:19:57 -04:00
data-provider	🐍 refactor: Normalize Non-Standard Browser MIME Type Aliases in inferMimeType (#12240)	2026-03-14 22:43:18 -04:00
data-schemas	🔑 fix: Require OTP Verification for 2FA Re-Enrollment and Backup Code Regeneration (#12223)	2026-03-14 01:51:31 -04:00