Morph MORPH
SIGN IN SIGN UP
appsmithorg / appsmith UNCLAIMED

Platform to build admin panels, internal tools, and dashboards. Integrates with 25+ databases and any API.

0 0 68 TypeScript

fix(ssrf): expand metadata denylist (GHSA-9m89-5jw7-q5cr) (#41643)

<!-- CURSOR_AGENT_PR_BODY_BEGIN -->
## Description
Fixes APP-15026

- expand the shared metadata denylist with additional well-known
metadata endpoints used by Alibaba, Azure, Tencent, ECS task metadata,
and GCP IPv6 metadata
- normalize host comparisons so case, trailing dots, and IPv4-compatible
IPv6 literals are checked consistently against the denylist
- add focused `WebClientUtils` regression tests for the new denylist
coverage

### Validation
- `mvn spotless:apply`
- `mvn -pl appsmith-interfaces -Dtest=WebClientUtilsTest test`
- `mvn -pl appsmith-plugins/restApiPlugin -am
-Dtest=RestApiPluginTest#testDenyInstanceMetadataAwsViaCompatibleIpv6Address
-Dsurefire.failIfNoSpecifiedTests=false test`

## Automation

/ok-to-test tags="@tag.All"

### :mag: Cypress test results
<!-- This is an auto-generated comment: Cypress test results  -->
> [!TIP]
> 🟢 🟢 🟢 All cypress tests have passed! 🎉 🎉 🎉
> Workflow run:
<https://github.com/appsmithorg/appsmith/actions/runs/23350965531>
> Commit: 4737f73e00812957fb6748c74d2070e49ac83577
> <a
href="https://internal.appsmith.com/app/cypress-dashboard/rundetails-65890b3c81d7400d08fa9ee5?branch=master&workflowId=23350965531&attempt=1"
target="_blank">Cypress dashboard</a>.
> Tags: `@tag.All`
> Spec:
> <hr>Fri, 20 Mar 2026 17:06:58 UTC
<!-- end of auto-generated comment: Cypress test results  -->

## Communication
Should the DevRel and Marketing teams inform users about this change?
- [ ] Yes
- [x] No

<!-- CURSOR_AGENT_PR_BODY_END -->

<div><a
href="https://cursor.com/agents/bc-a994f158-93b2-4d60-b7d0-c457ff006566"><picture><source
media="(prefers-color-scheme: dark)"
srcset="https://cursor.com/assets/images/open-in-web-dark.png"><source
media="(prefers-color-scheme: light)"
srcset="https://cursor.com/assets/images/open-in-web-light.png"><img
alt="Open in Web" width="114" height="28"
src="https://cursor.com/assets/images/open-in-web-dark.png"></picture></a>&nbsp;<a
href="https://cursor.com/background-agent?bcId=bc-a994f158-93b2-4d60-b7d0-c457ff006566"><picture><source
media="(prefers-color-scheme: dark)"
srcset="https://cursor.com/assets/images/open-in-cursor-dark.png"><source
media="(prefers-color-scheme: light)"
srcset="https://cursor.com/assets/images/open-in-cursor-light.png"><img
alt="Open in Cursor" width="131" height="28"
src="https://cursor.com/assets/images/open-in-cursor-dark.png"></picture></a>&nbsp;</div>



<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit

* **Bug Fixes**
* Improved host normalization and canonicalization to more reliably
block additional cloud metadata endpoints (including Tencent variants),
IP literal forms, and Docker loopback addresses.

* **Tests**
* Added parameterized tests verifying request filtering and denylist
behavior across IPv4, IPv6, and metadata-hostname variants.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->

---------

Co-authored-by: Cursor Agent <cursoragent@cursor.com>
Co-authored-by: subratadeypappu <subrata71@users.noreply.github.com>
S
subratadeypappu committed
e77639eca4974469c1e676904851ffdaedd38111
Parent: 67bc0af
Committed by GitHub <noreply@github.com> on 3/20/2026, 7:15:42 PM