Skip to content

fix: validate universe domain input to prevent SSRF credential leak#472

Open
adilburaksen wants to merge 1 commit into
google-github-actions:mainfrom
adilburaksen:fix/universe-ssrf-validation
Open

fix: validate universe domain input to prevent SSRF credential leak#472
adilburaksen wants to merge 1 commit into
google-github-actions:mainfrom
adilburaksen:fix/universe-ssrf-validation

Conversation

@adilburaksen
Copy link
Copy Markdown

@adilburaksen adilburaksen commented Apr 28, 2026

Summary

The universe input is interpolated directly into the Cloud Functions API endpoint:

cloudfunctions: 'https://cloudfunctions.{universe}/v2',

Setting universe: attacker.com routes all API calls — including Bearer GCP access tokens — to cloudfunctions.attacker.com.

Fix

Validates universe against known-safe patterns before use:

if (!/^([a-z0-9-]+\.)*googleapis\.com$/.test(universe)) {
  throw new Error(`Invalid universe domain "${universe}": ...`);
}

Allows googleapis.com (default) and Trusted Partner Cloud subdomains like us-central1.rep.googleapis.com. Blocks arbitrary hostnames.

Related

Companion PR for upload-cloud-storage: google-github-actions/upload-cloud-storage#404
Same class, same root cause in expandUniverseEndpoints.

@adilburaksen adilburaksen requested a review from a team as a code owner April 28, 2026 17:12
@adilburaksen
fix: validate universe is a bare hostname to prevent SSRF credential …
203ffe4 
…leak

The `universe` input is interpolated directly into the Cloud Functions API
endpoint (`https://cloudfunctions.${universe}/v2`). A value carrying URL syntax
can redirect the credentialed request — including the GCP access token in the
Authorization header — to an attacker-controlled host (e.g. `attacker.com#`
truncates the real host via the fragment delimiter).

Add `validateUniverse` (src/util.ts) which requires a well-formed DNS hostname
(no scheme, path, port, userinfo, query, or fragment) and call it from run().
This blocks URL-injection payloads while still accepting any legitimate
universe — googleapis.com, Trusted Partner Cloud, and Google Distributed Cloud
domains — without an allowlist that would break sovereign deployments.
@adilburaksen adilburaksen force-pushed the fix/universe-ssrf-validation branch from f67a395 to 203ffe4 Compare June 1, 2026 15:20
@adilburaksen
Copy link
Copy Markdown
Author

adilburaksen commented Jun 1, 2026

Updated this PR based on further review:

  • The validation now checks that universe is a well-formed DNS hostname (no scheme, path, port, userinfo, query, or fragment) rather than allowlisting *.googleapis.com. The earlier allowlist would have broken non-googleapis.com Trusted Partner Cloud / Google Distributed Cloud universes — this revision is non-breaking while still blocking the credential-leak vector (e.g. attacker.com# truncating the real host).
  • Extracted the check into validateUniverse (src/util.ts) with unit tests in tests/util.test.ts covering injection payloads and legitimate universes. Lint clean.

Companion fix: google-github-actions/upload-cloud-storage#404. Happy to address any review feedback.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@ChrisGe4 ChrisGe4 Awaiting requested review from ChrisGe4 ChrisGe4 is a code owner automatically assigned from google-github-actions/maintainers

@verbanicm verbanicm Awaiting requested review from verbanicm verbanicm is a code owner automatically assigned from google-github-actions/maintainers

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@adilburaksen