From 08cbe90dc0ad6bfae05e09cac88c0439609ee746 Mon Sep 17 00:00:00 2001 From: yashsinghcodes Date: Tue, 16 Jun 2026 11:59:37 +0530 Subject: [PATCH 1/3] fix: strict check for github url --- shared.go | 34 ++++++++++++++++++++++++++++++++++ 1 file changed, 34 insertions(+) diff --git a/shared.go b/shared.go index ab53337e..ed53159c 100644 --- a/shared.go +++ b/shared.go @@ -29146,6 +29146,11 @@ func loadGithubWorkflows(url, username, password, userId, branch, orgId string) log.Printf("Starting load of %s with branch %s", url, branch) + if err := checkAllowedUrl(url); err != nil { + log.Printf("[ERROR] Blocked workflow git clone URL: %s", err) + return err + } + cloneOptions := &git.CloneOptions{ URL: url, } @@ -29293,6 +29298,11 @@ func listGithubWorkflowsInfo(url, username, password, branch, orgId string) ([]R } } + if err := checkAllowedUrl(url); err != nil { + log.Printf("[ERROR] Blocked workflow git clone URL: %s", err) + return nil, err + } + cloneOptions := &git.CloneOptions{URL: url} if len(username) > 0 && len(password) > 0 { cloneOptions.Auth = &http2.BasicAuth{Username: username, Password: password} @@ -29495,6 +29505,11 @@ func importSingleRemoteWorkflow(url, username, password, branch, originalWorkflo } } + if err := checkAllowedUrl(url); err != nil { + log.Printf("[ERROR] Blocked workflow git clone URL: %s", err) + return err + } + cloneOptions := &git.CloneOptions{URL: url} if len(username) > 0 && len(password) > 0 { cloneOptions.Auth = &http2.BasicAuth{Username: username, Password: password} @@ -37464,3 +37479,22 @@ func ListProcesses() ([]ProcessInfo, error) { return nil, fmt.Errorf("unsupported platform: %s", runtime.GOOS) } } + +func checkAllowedUrl(rawUrl string) error { + parsedUrl, err := url.Parse(rawUrl) + if err != nil { + return fmt.Errorf("invalid git url: %s", err) + } + + host := strings.ToLower(parsedUrl.Hostname()) + + if parsedUrl.Scheme != "https" { + return fmt.Errorf("unsupported git url scheme") + } + + if host != "github.com" && host != "gitlab.com" && host != "bitbucket.org" && host != "dev.azure.com" { + return fmt.Errorf("unsupported git host") + } + + return nil +} From c6b526eb12526208a08182199b954b57030c868d Mon Sep 17 00:00:00 2001 From: yashsinghcodes Date: Tue, 16 Jun 2026 12:47:19 +0530 Subject: [PATCH 2/3] fix: initialize missing environment auth --- db-connector.go | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/db-connector.go b/db-connector.go index a7f583a0..62a39bed 100755 --- a/db-connector.go +++ b/db-connector.go @@ -10352,6 +10352,14 @@ func SetEnvironment(ctx context.Context, env *Environment) error { env.Id = uuid.NewV4().String() } + if len(env.Auth) == 0 { + if len(os.Getenv("SHUFFLE_ENVIRONMENT_AUTH")) > 0 { + env.Auth = os.Getenv("SHUFFLE_ENVIRONMENT_AUTH") + } else { + env.Auth = uuid.NewV4().String() + } + } + timeNow := time.Now().Unix() if env.Created == 0 { env.Created = timeNow From e9d5e1958bf5633a8c72541df85252d1bed09ba9 Mon Sep 17 00:00:00 2001 From: yashsinghcodes Date: Tue, 16 Jun 2026 12:56:43 +0530 Subject: [PATCH 3/3] fix: not generating random auth --- db-connector.go | 2 -- 1 file changed, 2 deletions(-) diff --git a/db-connector.go b/db-connector.go index 62a39bed..ca3d3c14 100755 --- a/db-connector.go +++ b/db-connector.go @@ -10355,8 +10355,6 @@ func SetEnvironment(ctx context.Context, env *Environment) error { if len(env.Auth) == 0 { if len(os.Getenv("SHUFFLE_ENVIRONMENT_AUTH")) > 0 { env.Auth = os.Getenv("SHUFFLE_ENVIRONMENT_AUTH") - } else { - env.Auth = uuid.NewV4().String() } }