Skip to main content

Git Provider SDK SSRF Classification

This document defines the Server-Side Request Forgery (SSRF) risk classification for Git provider SDKs (GitHub, GitLab, Bitbucket) in Zen Mesh V1.

General Rule

Fixed SaaS provider BaseURLs are lower SSRF risk. User-controlled or self-hosted BaseURLs require hardening before exposure.

Before any user-controlled BaseURL is exposed, the following controls are required:

  • Allowlist of permitted domains/hosts
  • Scheme restrictions (HTTPS only)
  • Private IP / RFC1918 / link-local / cloud metadata endpoint blocking
  • DNS rebinding protection
  • Redirect policy (block or validate redirects)
  • Audit logging of BaseURL configuration

GitHub SDK

Classification: V1_PARTIAL

AspectDetail
credentials.BaseURLUser-configurable in models.GitCredentials
Authenticate()Passes BaseURL to NewEnterpriseClient() without SSRF hardening
V1 delivery pathsDo not set BaseURL — default to SaaS GitHub
V1 blocker?No — only because current V1 paths do not expose user-controlled BaseURL
V1.1 requirementTransport hardening required before self-hosted/enterprise BaseURL exposure

If user-controlled BaseURL is exposed in V1, SSRF validation becomes a V1 blocker.

Do not assume third-party SDK eliminates SSRF risk. The NewEnterpriseClient() constructor accepts an arbitrary URL. If that URL is user-controlled without validation, SSRF is exploitable.

GitLab SDK

Classification: V1_SAFE_WITH_DOC

AspectDetail
BaseURLComes from operator/env config in V1
Self-hosted constructorExists but not used in V1 delivery paths
V1 blocker?No

GitLab BaseURL is operator-controlled in V1. The self-hosted path exists in the SDK but is not exercised by V1 delivery paths. Document that enabling self-hosted GitLab requires the same SSRF hardening controls listed above.

Bitbucket SDK

Classification: V1_SAFE_WITH_DOC

AspectDetail
BaseURLOperator/env-only in V1
Raw SSRF riskHigher due to bare http.Client concatenating endpoints
V1 exposureNot user-exposed in V1
V1 blocker?No

Bitbucket's raw http.Client endpoint construction has a higher inherent SSRF risk than the GitHub/GitLab SDKs. This is acceptable in V1 only because BaseURL is not user-controlled. Hardening is required before self-hosted exposure.

Hardening Checklist (Before Any User BaseURL Exposure)

  • Domain/URL allowlist enforced
  • HTTPS-only scheme restriction
  • Private IP ranges blocked (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16, 127.0.0.0/8, 169.254.0.0/16)
  • Cloud metadata endpoints blocked (169.254.169.254, fd00:ec2::254)
  • DNS rebinding protection (resolve before connect, validate resolved IP)
  • Redirect policy defined (block or validate redirect targets)
  • Audit logging of BaseURL configuration changes

Summary

SDKClassificationV1 BlockerUser BaseURL in V1?
GitHubV1_PARTIALNo (paths don't expose)No
GitLabV1_SAFE_WITH_DOCNoNo
BitbucketV1_SAFE_WITH_DOCNoNo

All three require SSRF hardening before user-controlled or self-hosted BaseURL exposure in any future release.