From b541623c9eee8a6ebeaa822641e67d6e0a3ab4df Mon Sep 17 00:00:00 2001
From: timothycarambat <rambat1010@gmail.com>
Date: Tue, 13 Aug 2024 17:46:07 -0700
Subject: [PATCH] add SSRF notice

---
 collector/utils/url/index.js | 15 ++++++++++++++-
 1 file changed, 14 insertions(+), 1 deletion(-)

diff --git a/collector/utils/url/index.js b/collector/utils/url/index.js
index e8cd4a766..dd0be2e99 100644
--- a/collector/utils/url/index.js
+++ b/collector/utils/url/index.js
@@ -1,3 +1,16 @@
+/**  ATTN: SECURITY RESEARCHERS
+ * To Security researchers about to submit an SSRF report CVE - please don't.
+ * We are aware that the code below is does not defend against any of the thousands of ways
+ * you can map a hostname to another IP. The code below does not have intention of blocking this
+ * and is simply to prevent the user from accidentally putting in non-valid websites, which is all this protects
+ * since _all urls must be submitted by the user anyway_ and cannot be done with authentication and manager or admin roles.
+ * If an attacker has those roles then the system is already vulnerable and this is not a primary concern.
+ * 
+ * We have gotten this report may times, marked them as duplicate or information and continue to get them. We communicate
+ * already that deployment (and security) of an instance is on the deployer and system admin deploying it. This would include
+ * isolation, firewalls, and the general security of the instance.
+*/
+
 const VALID_PROTOCOLS = ["https:", "http:"];
 const INVALID_OCTETS = [192, 172, 10, 127];
 
@@ -19,7 +32,7 @@ function validURL(url) {
     if (!VALID_PROTOCOLS.includes(destination.protocol)) return false;
     if (isInvalidIp(destination)) return false;
     return true;
-  } catch {}
+  } catch { }
   return false;
 }