Skip to content

fix(security): V4 - apply SSRF protection to axios.head() in uploadViaURL #12751

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
kolega-ai-dev wants to merge 1 commit into
base: develop
Choose a base branch
from
Open

fix(security): V4 - apply SSRF protection to axios.head() in uploadViaURL #12751

kolega-ai-dev wants to merge 1 commit into from
+10 −1

Conversation

@kolega-ai-dev
Copy link

@kolega-ai-dev kolega-ai-dev commented Dec 19, 2025

Security Disclosure Notice

This PR addresses a security vulnerability identified by Kolega.dev as part of our automated security remediation platform validation.

Disclosure Timeline:

  • December 10, 2025: Initial responsible disclosure sent to security@nocodb.com with full technical details, reproduction steps, and proposed fixes
  • December 16, 2025: Follow-up sent noting the approaching 7-day SLA
  • December 19, 2025: No acknowledgment received; PR submitted publicly per standard responsible disclosure practices

We attempted to coordinate privately through NocoDB's official security reporting channel. After exceeding the published response SLA without acknowledgment, we are proceeding with public disclosure to ensure the community can protect their deployments.

Vulnerability identified and fix provided by Kolega.dev (https://kolega.dev/)

Change Summary

Applied SSRF protection to axios.head() request in uploadViaURL() method. Added useAgent with stopPortScanningByUrlRedirection to prevent Server-Side Request Forgery attacks via redirect chains to internal hosts.

Change type

  • feat: (new feature for the user, not a new feature for build script)
  • fix: (bug fix for the user, not a fix to a build script)
  • docs: (changes to the documentation)
  • style: (formatting, missing semi colons, etc; no production code change)
  • refactor: (refactoring production code, eg. renaming a variable)
  • test: (adding missing tests, refactoring tests; no production code change)
  • chore: (updating grunt tasks etc; no production code change)

Test/ Verification

  • Verify file upload via URL continues to work normally with valid external URLs
  • Confirm that attempts to access internal/private IP addresses via URL redirects are blocked
  • Test with various redirect scenarios (301, 302, etc.) to ensure SSRF protection is active

Additional information / screenshots (optional)

This change aligns the axios.head() call with other axios requests in the codebase that already use useAgent for SSRF protection. The protection specifically guards against port scanning and internal network access via URL redirect chains.

@CLAassistant
Copy link

CLAassistant commented Dec 19, 2025
edited
Loading

CLA assistant check
All committers have signed the CLA.

@kolega-ai-dev
fix(security): apply SSRF protection to axios.head() in uploadViaURL
96db2c2 
Add useAgent to the axios.head() request in uploadViaURL() to prevent
SSRF attacks via redirect chains. The HEAD request can now properly
validate and restrict redirects to internal hosts, consistent with
other axios calls in the codebase.
@FaizanKolega FaizanKolega force-pushed the nc-fix/upload-url-ssrf-protection branch from 1f815a1 to 96db2c2 Compare December 19, 2025 16:28
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@kolega-ai-dev @CLAassistant