Skip to content

Fix OAuth2 avatar fetch SSRF guard with source-based allowlist#37123

Draft
lunny wants to merge 1 commit intogo-gitea:mainfrom
lunny:lunny/oauth_avatar
Draft

Fix OAuth2 avatar fetch SSRF guard with source-based allowlist#37123
lunny wants to merge 1 commit intogo-gitea:mainfrom
lunny:lunny/oauth_avatar

Conversation

@lunny
Copy link
Copy Markdown
Member

@lunny lunny commented Apr 6, 2026

  • Use hostmatcher with a safe allowlist derived from OAuth2 source URLs plus external hosts
  • Ensure avatar sync uses OAuth2 source data to build the allowlist
  • Add unit coverage for avatar allowlist behavior and nil source handling

Generated by a Coding Agent with Codex 5.2

@GiteaBot GiteaBot added the lgtm/need 2 This PR needs two approvals by maintainers to be considered for merging. label Apr 6, 2026
wxiaoguang
wxiaoguang requested changes Apr 6, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

@wxiaoguang wxiaoguang left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can't be right

@GiteaBot GiteaBot added lgtm/blocked A maintainer has reservations with the PR and thus it cannot be merged and removed lgtm/need 2 This PR needs two approvals by maintainers to be considered for merging. labels Apr 6, 2026
@lunny lunny removed the modifies/go label Apr 19, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@wxiaoguang wxiaoguang wxiaoguang requested changes

Assignees

No one assigned

Labels

lgtm/blocked A maintainer has reservations with the PR and thus it cannot be merged

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@lunny @wxiaoguang @GiteaBot