Skip to content

WIP: Agenting refactoring attempt #272

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 10 commits into
base: master
Choose a base branch
from
Open

WIP: Agenting refactoring attempt #272

wants to merge 10 commits into from

Conversation

@sergey-tihon
Copy link
Member

@sergey-tihon sergey-tihon commented Nov 2, 2025

No description provided.

Thorium and others added 9 commits October 28, 2025 13:11
@Thorium
Server-Side Request Forgery (SSRF) protection
e8c6cb1
@Thorium
Update src/SwaggerProvider.DesignTime/Utils.fs
3868a01 
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
@Thorium
Update src/SwaggerProvider.DesignTime/Utils.fs
4223357 
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
@Thorium
Copilot feedback implemented, and formatted with Fantomas
f983e4e
@Thorium
Content validation improved
a6ece66
@sergey-tihon
refact: pattern matching
190bfc4
@sergey-tihon
fix: remove duplicated condition
b071576
@sergey-tihon
fix: handle relative file paths that expand to absolute paths
9d07d5a 
The readSchemaPath function now properly handles relative file paths (e.g., those
created with __SOURCE_DIRECTORY__) by attempting to resolve them to absolute paths
before treating them as remote URLs. This ensures paths like
'__SOURCE_DIRECTORY__ + "/../Schemas/v2/petstore.json"' are correctly recognized
as local files instead of being rejected by SSRF validation.
@sergey-tihon
refactor: consolidate readSchemaPath and getAbsolutePath functions
5f73506 
Merge path resolution into readSchemaPath to eliminate redundant calls and improve code clarity:
- Move getAbsolutePath logic into readSchemaPath, making it fully self-contained
- Remove dead code path that attempted to re-resolve with empty resolutionFolder
- Rename Cache modules to SwaggerCache and OpenApiCache to avoid naming conflicts
- Update test calls to pass resolutionFolder parameter
- All 274 tests pass (116 unit + 158 integration)
Copilot AI review requested due to automatic review settings November 2, 2025 13:11
Copilot AI reviewed Nov 2, 2025
View reviewed changes
Copy link
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull Request Overview

This PR adds SSRF (Server-Side Request Forgery) protection to SwaggerProvider by restricting schema fetching to HTTPS URLs and blocking private/localhost IP addresses by default. A new SsrfProtection parameter (default true) allows developers to disable these restrictions for local development and testing.

Key changes:

  • Added comprehensive URL validation to block unsafe schemes (file://, ftp://, gopher://, dict://), HTTP protocol, and private IP ranges (IPv4/IPv6)
  • Introduced SsrfProtection static parameter for both SwaggerClientProvider and OpenApiClientProvider
  • Added content-type validation to prevent fetching non-schema files
  • Updated test files to use SsrfProtection=false for localhost connections

Reviewed Changes

Copilot reviewed 12 out of 12 changed files in this pull request and generated 1 comment.

Show a summary per file
File Description
src/SwaggerProvider.DesignTime/Utils.fs Core SSRF validation logic with IP range checks and URL scheme filtering
src/SwaggerProvider.DesignTime/Provider.SwaggerClient.fs Added SsrfProtection parameter and updated cache key
src/SwaggerProvider.DesignTime/Provider.OpenApiClient.fs Added SsrfProtection parameter and renamed cache module
tests/SwaggerProvider.Tests/SsrfSecurityTests.fs Comprehensive test suite covering SSRF protection scenarios
tests/SwaggerProvider.Tests/SwaggerProvider.Tests.fsproj Added new test file to project
tests/SwaggerProvider.ProviderTests/v2/Swashbuckle.ReturnControllers.Tests.fs Updated to disable SSRF protection for localhost
tests/SwaggerProvider.ProviderTests/v3/Swashbuckle.ReturnControllers.Tests.fs Updated to disable SSRF protection for localhost
docs/SwaggerClientProvider.md Documentation for SSRF protection feature
docs/OpenApiClientProvider.md Documentation for SSRF protection feature
README.md Added security notice about SSRF protection
AGENTS.md Added comprehensive build/test/style guidelines
.config/dotnet-tools.json Updated fantomas version

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

@sergey-tihon
Apply suggestion from @Copilot
daef0fa 
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@sergey-tihon @Thorium