fix : prevent DNS rebinding SSRF bypass in validateSafeUrl

[tmdeveloper007]

Fixes #2083

Summary

The validateSafeUrl function in lib/utils/ssrfValidator.ts used dns.lookup(), which delegates to the system resolver (respecting /etc/hosts and nsswitch.conf). This created a DNS rebinding window: an attacker could control what IP the system resolver returns independently of actual DNS records.

Changes

• lib/utils/ssrfValidator.ts: Replaced dns.lookup() with direct dns.resolve4()/dns.resolve6() calls. Changed return type from Promise<boolean> to Promise<UrlValidationResult> to include the validated public IP.
• lib/services/imageService.ts: Updated fetchAndValidateAvatarUrl to use the validated IP directly in the fetch URL with the original hostname preserved in the Host header, preventing DNS rebinding at fetch time.
• lib/services/securitySandboxService.ts: Updated buildSandboxImage to accept the validated IP and configure git with url.<base>.insteadOf to clone using the IP directly, preventing DNS rebinding during git operations.
• app/api/repositories/route.ts: Updated to use the new UrlValidationResult return type.

Security Impact

Closes the DNS rebinding window where an attacker could make a domain resolve to a public IP during validation but a private IP when the actual HTTP request or git clone is made.

[vercel]

Someone is attempting to deploy a commit to the Nisshchaya's projects Team on Vercel.

A member of the Team first needs to authorize it.

[coderabbitai]

Warning

Review limit reached

@tmdeveloper007, we couldn't start this review because you've reached your PR review rate limit.

More reviews will be available in 41 minutes and 3 seconds. Learn how PR review limits work.

Your organization has used up its prepaid credits, and credit purchases are no longer available. Enable the review add-on in the billing tab to keep reviews running — you're only billed for reviews past your plan's rate limits ($0.25/file).

⌛ How to resolve this issue?

After more reviews become available, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans include higher PR review limits than trial, open-source, and free plans. In all cases, reviews become available again over time. During sustained high-volume PR review activity, CodeRabbit may temporarily slow when the next review becomes available.

Please see our Fair Usage Limits Policy for further information.

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro Plus

Run ID: 50f55651-92dd-4c83-ad57-b7f0cf069d76

📥 Commits

Reviewing files that changed from the base of the PR and between 9aa9b51 and 6f59b50.

📒 Files selected for processing (4)

• app/api/repositories/route.ts
• lib/services/imageService.ts
• lib/services/securitySandboxService.ts
• lib/utils/ssrfValidator.ts

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[github-actions]

🎉 Thanks for your contribution, @tmdeveloper007!

Your PR has passed our automated GSSoC quality checks. Here's a quick summary:

Check	Status
PR description	✅ Provided
PR title	✅ Meaningful
Linked issue	✅ Found
Change size	✅ Looks good (150 lines across 4 file(s))

A maintainer will review your PR soon. Please be patient and available for feedback. 💪

GSSoC'26 automation · Maintainer: @nisshchayarathi