Skip to content

fix(fetchers): enforce rss feed outbound policy#99

Merged
chaliy merged 1 commit intomainfrom
fix/issue-93-rss-feed-ssrf-policy
Apr 15, 2026
Merged

fix(fetchers): enforce rss feed outbound policy#99
chaliy merged 1 commit intomainfrom
fix/issue-93-rss-feed-ssrf-policy

Conversation

@chaliy
Copy link
Copy Markdown
Contributor

@chaliy chaliy commented Apr 15, 2026

What

Enforce FetchKit's outbound policy for RSSFeedFetcher, including DNS pinning, private-IP blocking, redirect revalidation, and same-host redirect enforcement.

Closes #93.

Why

RSSFeedFetcher built its own redirect-following client and bypassed the hardened request path, which allowed loopback/private targets and cross-host redirects to slip past the documented SSRF protections.

How

  • route RSS requests through the shared manual-redirect request helper used by the default fetcher
  • keep the RSS-specific accept header and timeout while applying policy checks on every hop
  • add security regressions for direct loopback RSS fetches and cross-host redirects via localhost -> 127.0.0.1

Risk

  • Low
  • RSS requests now use the hardened redirect flow; the main regression risk is feed fetch behavior around redirects and request timeouts

Checklist

  • Unit tests are passed
  • Smoke tests are passed
  • Documentation is updated
  • Specs are up to date and not in conflict

@chaliy chaliy merged commit 24132d2 into main Apr 15, 2026
11 checks passed
@chaliy chaliy deleted the fix/issue-93-rss-feed-ssrf-policy branch April 15, 2026 13:03
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

rss_feed fetcher bypasses SSRF and redirect policy

1 participant

@chaliy