Skip to content

fix: re-validate HttpUriPlugin redirects against allowedUris and enforce http(s) and max redirects #12463

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
JSerFeng merged 1 commit into from
Dec 16, 2025
Merged

fix: re-validate HttpUriPlugin redirects against allowedUris and enforce http(s) and max redirects #12463

JSerFeng merged 1 commit into from
Dec 16, 2025

Conversation

@JSerFeng
Copy link
Contributor

@JSerFeng JSerFeng commented Dec 16, 2025

  • Re-validate HttpUriPlugin redirects against allowedUris
  • Restrict redirects to http(s) protocols only
  • Add a conservative redirect limit (5) to prevent SSRF and untrusted content inclusion
  • Redirects failing policy are rejected before caching/lockfile writes

This addresses the same security vulnerability that was fixed in webpack commit webpack/webpack#20230

Summary

Related links

Checklist

  • Tests updated (or not required).
  • Documentation updated (or not required).

Copilot AI review requested due to automatic review settings December 16, 2025 03:44
@netlify
Copy link

netlify bot commented Dec 16, 2025
edited
Loading

Deploy Preview for rspack canceled.

Name Link
🔨 Latest commit 2f8f4b2
🔍 Latest deploy log https://app.netlify.com/projects/rspack/deploys/6941258e66960900087c0363

@github-actions github-actions bot added team The issue/pr is created by the member of Rspack. release: bug fix release: bug related release(mr only) labels Dec 16, 2025
Copilot AI reviewed Dec 16, 2025
View reviewed changes
Copy link
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR addresses a critical security vulnerability in the HttpUriPlugin by implementing redirect validation and enforcement mechanisms to prevent SSRF (Server-Side Request Forgery) attacks and untrusted content inclusion. The fix follows the same approach as webpack's security patch in PR #20230.

Key Changes:

  • Added redirect validation to ensure redirected URLs comply with the allowedUris policy
  • Restricted redirects to only http(s) protocols, preventing protocol smuggling attacks
  • Implemented a conservative 5-redirect limit to prevent redirect loops and SSRF amplification

Reviewed changes

Copilot reviewed 4 out of 4 changed files in this pull request and generated 7 comments.

File Description
crates/rspack_plugin_schemes/src/http_uri/mod.rs Core security implementation: added validate_redirect_location() function to check redirects against policy, added MAX_REDIRECTS constant and enforcement, added sanitize_url_for_error() helper for safe error reporting, and modified resolve_content() to accept redirect count parameter
tests/rspack-test/configCases/asset-modules/http-redirect-security/server/index.js Test infrastructure: HTTP server implementation with various redirect scenarios including allowed redirects, disallowed redirects, non-HTTP protocol redirects, and long redirect chains
tests/rspack-test/configCases/asset-modules/http-redirect-security/rspack.config.js Test configuration with HttpUriPlugin configured to only allow http://localhost:9991/ URIs
tests/rspack-test/configCases/asset-modules/http-redirect-security/index.js Comprehensive test suite validating all security scenarios: allowed redirects, disallowed URI redirects, non-HTTP protocol redirects, and excessive redirect chains

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

@github-actions
Copy link
Contributor

github-actions bot commented Dec 16, 2025
edited
Loading

Rsdoctor Bundle Diff Analysis

Found 5 project(s) in monorepo.

📁 react-10k

Path: ../build-tools-performance/cases/react-10k/dist/rsdoctor-data.json

📌 Baseline Commit: 5fade2fad0 | PR: #12445

Metric Current Baseline Change
📊 Total Size 5.7 MB 5.7 MB 153.0 B (0.0%)
📄 JavaScript 5.7 MB 5.7 MB 153.0 B (0.0%)
🎨 CSS 21.0 B 21.0 B 0 B (0.0%)
🌐 HTML 0 B 0 B N/A
📁 Other Assets 0 B 0 B N/A

📦 Download Diff Report: react-10k Bundle Diff

📁 react-1k

Path: ../build-tools-performance/cases/react-1k/dist/rsdoctor-data.json

📌 Baseline Commit: 5fade2fad0 | PR: #12445

Metric Current Baseline Change
📊 Total Size 823.6 KB 823.4 KB 153.0 B (0.0%)
📄 JavaScript 823.6 KB 823.4 KB 153.0 B (0.0%)
🎨 CSS 0 B 0 B N/A
🌐 HTML 0 B 0 B N/A
📁 Other Assets 0 B 0 B N/A

📦 Download Diff Report: react-1k Bundle Diff

📁 react-5k

Path: ../build-tools-performance/cases/react-5k/dist/rsdoctor-data.json

📌 Baseline Commit: 5fade2fad0 | PR: #12445

Metric Current Baseline Change
📊 Total Size 2.7 MB 2.7 MB 153.0 B (0.0%)
📄 JavaScript 2.7 MB 2.7 MB 153.0 B (0.0%)
🎨 CSS 21.0 B 21.0 B 0 B (0.0%)
🌐 HTML 0 B 0 B N/A
📁 Other Assets 0 B 0 B N/A

📦 Download Diff Report: react-5k Bundle Diff

📁 rome

Path: ../build-tools-performance/cases/rome/dist/rsdoctor-data.json

📌 Baseline Commit: 5fade2fad0 | PR: #12445

Metric Current Baseline Change
📊 Total Size 984.3 KB 984.3 KB 0 B (0.0%)
📄 JavaScript 984.3 KB 984.3 KB 0 B (0.0%)
🎨 CSS 0 B 0 B N/A
🌐 HTML 0 B 0 B N/A
📁 Other Assets 0 B 0 B N/A

📦 Download Diff Report: rome Bundle Diff

📁 ui-components

Path: ../build-tools-performance/cases/ui-components/dist/rsdoctor-data.json

📌 Baseline Commit: 5fade2fad0 | PR: #12445

Metric Current Baseline Change
📊 Total Size 2.1 MB 2.1 MB 1.6 KB (0.1%)
📄 JavaScript 2.0 MB 2.0 MB 1.6 KB (0.1%)
🎨 CSS 83.0 KB 83.0 KB 0 B (0.0%)
🌐 HTML 0 B 0 B N/A
📁 Other Assets 0 B 0 B N/A

📦 Download Diff Report: ui-components Bundle Diff

Generated by Rsdoctor GitHub Action

@github-actions
Copy link
Contributor

github-actions bot commented Dec 16, 2025
edited
Loading

📦 Binary Size-limit

Comparing 2f8f4b2 to feat(deps)!: bump swc_core from 46.0.3 to 50.2.3 and swc_experimental (#12445) by CPunisher

❌ Size increased by 3.88KB from 48.28MB to 48.28MB (⬆️0.01%)

@codspeed-hq
Copy link

codspeed-hq bot commented Dec 16, 2025
edited
Loading

CodSpeed Performance Report

Merging #12463 will not alter performance

Comparing fix/security-http-redirects (2f8f4b2) with main (5fade2f)

Summary

✅ 17 untouched

@JSerFeng JSerFeng force-pushed the fix/security-http-redirects branch from 921a958 to ee64bcc Compare December 16, 2025 07:03
@JSerFeng
fix(security): re-validate HttpUriPlugin redirects against allowedUri…
2f8f4b2 
…s; enforce http(s) and max redirects

- Re-validate HttpUriPlugin redirects against allowedUris
- Restrict redirects to http(s) protocols only
- Add a conservative redirect limit (5) to prevent SSRF and untrusted content inclusion
- Redirects failing policy are rejected before caching/lockfile writes

This addresses the same security vulnerability that was fixed in webpack commit 2179fdbcb34fba57acc51377a5ff6ddecc97ac7f
@JSerFeng JSerFeng force-pushed the fix/security-http-redirects branch from ee64bcc to 2f8f4b2 Compare December 16, 2025 09:25
@JSerFeng JSerFeng merged commit 8bcf0f8 into main Dec 16, 2025
99 of 104 checks passed
@JSerFeng JSerFeng deleted the fix/security-http-redirects branch December 16, 2025 11:51
@github-actions github-actions bot mentioned this pull request Dec 16, 2025
Merged
2 tasks
chenjiahan pushed a commit that referenced this pull request Dec 17, 2025
@JSerFeng @chenjiahan
fix: re-validate HttpUriPlugin redirects against allowedUris and enfo…
ca18551 
…rce http(s) and max redirects (#12463)

fix(security): re-validate HttpUriPlugin redirects against allowedUris; enforce http(s) and max redirects

- Re-validate HttpUriPlugin redirects against allowedUris
- Restrict redirects to http(s) protocols only
- Add a conservative redirect limit (5) to prevent SSRF and untrusted content inclusion
- Redirects failing policy are rejected before caching/lockfile writes

This addresses the same security vulnerability that was fixed in webpack commit 2179fdbcb34fba57acc51377a5ff6ddecc97ac7f
@CPunisher CPunisher mentioned this pull request Dec 17, 2025
Merged
2 tasks
@chenjiahan chenjiahan mentioned this pull request Dec 17, 2025
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@ahabhgk ahabhgk ahabhgk approved these changes

@LingyuCoder LingyuCoder Awaiting requested review from LingyuCoder LingyuCoder is a code owner

Assignees

No one assigned

Labels

release: bug fix release: bug related release(mr only) team The issue/pr is created by the member of Rspack.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@JSerFeng @ahabhgk