Skip to content

fix(expo-cicd-workflows): add URL allowlist to fetch.js to prevent SSRF#52

Open
xiaolai wants to merge 1 commit into
expo:mainfrom
xiaolai:fix/nlpm-fetch-url-validation
Open

fix(expo-cicd-workflows): add URL allowlist to fetch.js to prevent SSRF#52
xiaolai wants to merge 1 commit into
expo:mainfrom
xiaolai:fix/nlpm-fetch-url-validation

Conversation

@xiaolai

@xiaolai xiaolai commented Apr 27, 2026

Copy link
Copy Markdown

Automated audit: This PR was generated by NLPM, a natural language programming linter, running via claude-code-action. Please evaluate the diff on its merits.

Security Fix (Medium)

plugins/expo/skills/expo-cicd-workflows/scripts/fetch.js accepts any URL via process.argv[2] and passes it directly to fetch() without validating the scheme or domain (lines 96–107). If the script is ever invoked with attacker-controlled input outside the documented skill context, an adversary could supply an arbitrary URL — including internal metadata endpoints like http://169.254.169.254/ — triggering a Server-Side Request Forgery (SSRF).

Fix: Add a ALLOWED_URL_PREFIXES array containing the URLs this script legitimately needs (https://api.expo.dev/, https://raw.githubusercontent.com/expo/, https://docs.expo.dev/) and a guard function assertAllowedUrl() that rejects any URL not matching those prefixes. The guard is called immediately after the argument is validated, before any network request is made.

This is a defence-in-depth improvement. The practical risk within the skill context is low, but the fix costs nothing and makes the script's intended scope explicit.

Co-Authored-By: Claude Code <noreply@anthropic.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant