fix: Validate fetch-apify-docs URL by hostname, not prefix#781
Merged
Conversation
GHSA-jwp7-wg77-3w9v: `url.startsWith(domain)` against allowlist entries like `https://docs.apify.com` is bypassable by URLs such as `https://docs.apify.com.evil.com/`, `https://docs.apify.com@evil.com/`, or `https://docs.apify.com.evil.com:8080/`. The bypass lets the tool fetch attacker-controlled HTML and return it to the LLM, enabling prompt injection. Replace the prefix check with a parsed-URL comparison: derive allowed hostnames from `ALLOWED_DOC_DOMAINS` once at module load and require `new URL(url)` to have `protocol === 'https:'` and a hostname in that set. Add unit coverage for the bypass cases and other rejections.
github-actions
Bot
added
t-ai
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
4 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
GHSA-jwp7-wg77-3w9v:
url.startsWith(domain)against allowlist entrieslike
https://docs.apify.comis bypassable by URLs such ashttps://docs.apify.com.evil.com/,https://docs.apify.com@evil.com/,or
https://docs.apify.com.evil.com:8080/. The bypass lets the toolfetch attacker-controlled HTML and return it to the LLM, enabling
prompt injection.
Replace the prefix check with a parsed-URL comparison: derive allowed
hostnames from
ALLOWED_DOC_DOMAINSonce at module load and requirenew URL(url)to haveprotocol === 'https:'and a hostname in thatset. Add unit coverage for the bypass cases and other rejections.
Fixes https://github.com/apify/apify-mcp-server/security/advisories/GHSA-jwp7-wg77-3w9v