Icm 43582 vulnerability report blind ssrf at html rewriter.fastedge.gcore.dev lead to internal port

[ruslanti]

No description provided.

[Copilot]

Pull request overview

This PR addresses a blind SSRF vulnerability (ICM-43582) by implementing host validation to prevent requests to private/internal IP addresses and ports. The changes add security checks that reject requests targeting private networks, localhost, and other restricted IP ranges.

Key changes:

• Added private IP address validation for both IPv4 and IPv6 addresses
• Implemented host validation checks in HTTP backend and service layers
• Refactored key-value store operations to improve type safety and error handling

Reviewed changes

Copilot reviewed 12 out of 13 changed files in this pull request and generated 5 comments.

Show a summary per file

File	Description
crates/http-backend/src/lib.rs	Added is_public_host() function and comprehensive private IP detection for IPv4/IPv6 to prevent SSRF attacks
crates/http-service/src/state.rs	Added host validation check using is_public_host() before processing backend requests
crates/key-value-store/src/lib.rs	Renamed zrange to zrange_by_score and updated return type to include scores
crates/key-value-store/src/redis_impl.rs	Updated Redis operations to match new interface and improved error handling
crates/key-value-store/Cargo.toml	Upgraded Redis dependency to 0.32 with additional features for safe iterators
crates/runtime/src/app.rs	Added serde(default) to param field and added comprehensive tests for deserialization
crates/reactor/src/lib.rs	Updated WIT path from SDK submodule to local reactor wit directory
.gitmodules	Changed submodule from SDK to FastEdge-wit repository
Cargo.toml	Version bump to 0.13.2
CHANGELOG.md	Added release notes for versions 0.13.1 and 0.13.2

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[qrdl]

Some of Copilot comments make sense, please take a look