🛡️ Sentinel: [CRITICAL] Fix SSRF in bulk lookup API#205
Conversation
Co-authored-by: aicoder2009 <127642633+aicoder2009@users.noreply.github.com>
|
👋 Jules, reporting for duty! I'm here to lend a hand with this pull request. When you start a review, I'll add a 👀 emoji to each comment to let you know I've read it. I'll focus on feedback directed at me and will do my best to stay out of conversations between you and other bots or reviewers to keep the noise down. I'll push a commit with your requested changes shortly after. Please note there might be a delay between these steps, but rest assured I'm on the job! For more direct control, you can switch me to Reactive Mode. When this mode is on, I will only act on comments where you specifically mention me with New to Jules? Learn more at jules.google/docs. For security, I will only act on instructions from the user who triggered this task. |
|
The latest updates on your projects. Learn more about Vercel for GitHub.
|
|
Note Currently processing new changes in this PR. This may take a few minutes, please wait... ⚙️ Run configurationConfiguration used: Path: .coderabbit.yaml Review profile: CHILL Plan: Pro Plus Run ID: 📒 Files selected for processing (3)
✨ Finishing Touches📝 Generate docstrings
🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
|
Caution Failed to replace (edit) comment. This is likely due to insufficient permissions or the comment being deleted. Error details |
There was a problem hiding this comment.
Pull request overview
This PR removes an SSRF-prone loopback fetch() pattern from the bulk lookup API route by invoking internal Next.js route handlers directly, avoiding any dependence on the user-controlled Host header and eliminating internal network calls.
Changes:
- Refactored
POST /api/lookup/bulkto dispatch directly to theurl,doi, andisbnroutePOSThandlers via a syntheticNextRequest. - Updated bulk-lookup tests to mock the internal route handlers instead of
global.fetch. - Documented the SSRF incident and prevention guidance in Sentinel notes.
Reviewed changes
Copilot reviewed 3 out of 3 changed files in this pull request and generated 3 comments.
| File | Description |
|---|---|
src/app/api/lookup/bulk/route.ts |
Replaces loopback fetch(request.nextUrl.origin + ...) with direct handler invocation to eliminate SSRF risk. |
src/app/api/lookup/bulk/route.test.ts |
Switches unit tests from mocking fetch to mocking the imported route handlers. |
.jules/sentinel.md |
Adds an SSRF entry documenting root cause, learning, and prevention pattern. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| expect(data.results[0].data.title).toBe('Example Page'); | ||
| const [url] = (global.fetch as ReturnType<typeof vi.fn>).mock.calls[0] as [string]; | ||
| expect(url).toContain('/api/lookup/url'); | ||
| expect(urlLookup).toHaveBeenCalled(); |
| expect(data.results[0].success).toBe(true); | ||
| const [url] = (global.fetch as ReturnType<typeof vi.fn>).mock.calls[0] as [string]; | ||
| expect(url).toContain('/api/lookup/doi'); | ||
| expect(doiLookup).toHaveBeenCalled(); |
| expect(data.results[0].success).toBe(true); | ||
| const [url] = (global.fetch as ReturnType<typeof vi.fn>).mock.calls[0] as [string]; | ||
| expect(url).toContain('/api/lookup/isbn'); | ||
| expect(isbnLookup).toHaveBeenCalled(); |
🚨 Severity: CRITICAL
💡 Vulnerability: The
src/app/api/lookup/bulk/route.tsAPI route was making a loopback HTTPfetchrequest to internal API endpoints usingrequest.nextUrl.origin. This hostname is derived dynamically from the user-controllableHostheader, leading to a Server-Side Request Forgery (SSRF) vulnerability.🎯 Impact: An attacker could manipulate the
Hostheader to redirect the server's internal requests to a malicious server, potentially leading to request smuggling, internal network scanning, or bypassing access controls.🔧 Fix: Modified the route to directly import and invoke the POST handlers from the
url,doi, andisbnAPI routes. We now construct a syntheticNextRequestand pass it directly to the handler functions, completely bypassing networkfetchand resolving the SSRF vulnerability while slightly improving performance.✅ Verification: Ran
pnpm test:runto ensure all tests pass. Verified the logic changes manually, ensuring no external fetches are made using user-controllable variables.PR created automatically by Jules for task 844255265598433692 started by @aicoder2009