Protei/PromucFlow_constructor
2
0
Fork 0
Code Issues Pull Requests Actions 2 Packages Projects Releases Wiki Activity
17,769 Commits 1 Branch 0 Tags 507 MiB
TypeScript 66.5%
Java 21.7%
JavaScript 9.4%
CSS 1%
Shell 0.6%
Other 0.7%
5a1ec0c591
Go to file
Shrikant Sharat Kandula 5a1ec0c591
chore: Disallow plugin requests to localhost (#34250) 
The microservices that run inside the Appsmith container, trust each
other, and may expose sensitive API endpoints to other internal
microservices. These sensitive APIs aren't accessible by outside the
Appsmith container, protected by Caddy's routing.

This means that the backend server's ability to make user-configured
HTTP requests, can lead to SSRFs to such sensitive API calls, if it's
allowed to call APIs on localhost.

In other words, Caddy establishes a trust boundary that protects these
internal APIs from outside the container. But we lack such a trust
boundary for the backend's plugins (API plugin, Elasticsearch plugin,
etc.). This PR solves that.

In this PR, we block both IPv4 and IPv6 loopback addresses.

No additional changes needed on EE, no conflicts, and all unit and
Cypress tests pass.

**/test all**

<!-- This is an auto-generated comment: Cypress test results  -->
> [!TIP]
> 🟢 🟢 🟢 All cypress tests have passed! 🎉 🎉 🎉
> Workflow run:
<https://github.com/appsmithorg/appsmith/actions/runs/9590358198>
> Commit: 5445c70aa873942c3edae9fbfcc57a6d2554b815
> <a
href="https://internal.appsmith.com/app/cypress-dashboard/rundetails-65890b3c81d7400d08fa9ee5?branch=master&workflowId=9590358198&attempt=2"
target="_blank">Cypress dashboard</a>.
> Tags: ``

<!-- end of auto-generated comment: Cypress test results  -->












<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->

## Summary by CodeRabbit

- **New Features**
- Improved handling of disallowed hosts by dynamically computing based
on environment variables, offering more flexibility and control.
  
- **Refactor**
- Enhanced the `makeWebClient()` method to use a more efficient approach
for creating WebClient objects with custom configurations.

- **Chores**
- Added an `ENV` declaration for `IN_DOCKER` in the Dockerfile to better
manage Docker-specific configurations.

<!-- end of auto-generated comment: release notes by coderabbit.ai -->
2024-06-20 11:00:22 +05:30
.github Updated Label Config 2024-06-18 15:25:01 +05:30
app chore: Disallow plugin requests to localhost (#34250) 2024-06-20 11:00:22 +05:30
contributions Chore/update contribution guideline (#34307) 2024-06-18 17:43:30 +05:30
deploy chore: Remove redundant adding Postgres bin to PATH (#34316) 2024-06-20 10:08:30 +05:30
scripts fix: failing dp builder (#34247) 2024-06-14 13:00:54 +05:30
static Add files via upload 2023-08-11 19:09:51 +05:30
utils/observability chore: Adding Redis metrics and dashboard to observability stack (#24755) 2023-06-27 11:19:09 +05:30
.deepsource.toml
.editorconfig chore: Python files use 4-space indentation 2023-09-15 14:55:43 +05:30
.env.example chore: Remove unused services (#30292) 2024-01-23 05:43:16 +05:30
.gitignore chore: Include version in info.json and remove fields that aren't being useful (#27288) 2023-09-15 15:50:23 +05:30
.imgbotconfig
.nojekyll
app.json test: Enable server tests for the PRs with base PG branch (#33429) 2024-05-22 15:55:20 +05:30
appsmith_events.md
appsmith_templates.md feat: migrate from org to workspace under phase 3 (#14158) 2022-07-20 17:24:16 +05:30
ci-debug.sh ci: CI optimisation to reduce ci-test run time and modularise docker image building (#21219) 2023-03-10 12:51:32 +05:30
CODE_OF_CONDUCT.md
CODEOWNERS chore: added code owner for cypress (#34125) 2024-06-10 13:29:05 +05:30
CONTRIBUTING.md docs: Updating contribution guidelines (#18190) 2022-11-23 11:41:40 +05:30
depot.json ci: Fixing the RTS build workflow (#16748) 2022-09-14 14:24:20 +05:30
Dockerfile chore: Disallow plugin requests to localhost (#34250) 2024-06-20 11:00:22 +05:30
heroku.yml
IssuesReport.md
LICENSE
README.md Update top contributors 2023-11-17 06:55:30 +05:30
SECURITY.md

README.md

Appsmith Logo

Discord GitHub commit activity

Organizations build internal applications such as dashboards, database GUIs, admin panels, approval apps, customer support dashboards, and more to help their teams perform day-to-day operations. Appsmith is an open-source tool that enables the rapid development of these internal apps. Read more on our website.

Appsmith in 100 secs

Installation

There are two ways to start using Appsmith:

  • Signup on Appsmith Cloud.
  • Install Appsmith on your machine. See the installation guides below.
Installation Methods Documentation
Docker Docker (Recommended)
Kubernetes Kubernetes
AWS AWS AMI

For other deployment options, see the Installation Guides documentation.

Development

To build and run Appsmith in your local dev environment, see Setup for local development.

Learning Resources

Need Help?

Contributing

We ❤️ our contributors. We're committed to fostering an open, welcoming, and safe environment in the community.

📕 We expect everyone participating in the community to abide by our Code of Conduct. Please read and follow it.
🤝 If you'd like to contribute, start by reading our Contribution Guide.
👾 Explore some good first issues.

Let's build great software together.

Top Contributors

Nikhil-Nandagopal mohanarpit sharat87 hetunandu trishaanand riodeuno nidhi-nair vicky-primathon Aishwarya-U-R satbir121 sumitsum AnaghHegde arunvjn NandanAnantharamu ankitakinger nayan-rafiq abhvsn jsartisan Rishabh-Rathod ohansFavour sbalaji1192 sarojsarab SatishGandham AmanAgarwal041 prsidhu ayushpahwa sneha122 ApekshaBhosale Parthvi12 yatinappsmith somangshu pratapaprasanna pranavkanade albinAppsmith marks0351 nsarupr ashit-rath NilanshBansal sondermanish KelvinOm dhruvikn rajatagrawal areyabhishek subrata71 ichik dipyamanbiswas07 rahulbarwal ankitsrivas14 vsvamsi1 brayn003 sharanya-appsmith vivonk dvj1988 ramsaptami rohan-arthur jacquesikot danciaclara kocharrahul7 riteshkew srix laveena-en RakshaKShetty Rishabhkaul sandeepravi tejasahluwalia dilippitchika nerbos rlnorthcutt kevinblanco AbhaySM tomjose92 andreevanatasha LagunaElectric sribalajig infinitetrooper RoopKrrish9696 bharath31 GreenFlux shadabbuchh harshilp24 appsmith-bot momcilo-appsmith shwetha-ramesh vasanthappsmith parth-appsmith chandannkumar jnikhila vinay-appsmith ame-appsmith btsgh Sripriya93 pranayagarwal96 kamakshibhat-appsmith sujdev7 BharghaviK carinanfonseca deepikaappsmith Harshask93 cssonic kavitasmoolya NeelPattani1 rashmi-sahoo-git michael-peach-appsmith akash-codemonk Tooluloope rishabhsaxena wmdev0808 Irongade techbhavin yaldram aswathkk rahulramesha sidhantgoel Vijetha-Kaja haojin111 berzerkeer sum35h ChandanBalajiBP devrk96 keyurparalkar eco-monk vibhandikyash ofpiyush vishnu-gp rimildeyjsr tanvibhakta rashmigowda55 ankurrsinghal Druthi geekup-legodevops megaconfidence vihar danieldare Nikhil-Curefit souma-ghosh arslanhaiderbuttar tkAppsmith rashmi-rai leotom2000 ravikp7 Adityaacharya1807 RashmiNagarajp prapullac kaushik94 PiyushPushkar02 akshayrangasaid mojtab23 rohitagarwal88 iamakulov iamrkcheers sumanthyedoti shubham7saxena7 vaibh1297 vnodecg pc9795 Rhitottam Pranay105 iSatVeerSingh abm17 akshay11298 daniel-shuy daniloff200 osis harshitpandey0426 ganganimaulik jyash97 ram-primathon sub1983 sanjus-robotic-studio AR10X shreemaan-abhishek A-Scratchy gitstart-appsmith manish535 shinnlok suhasranganath ThakurKarthik trdillon acharyaaditya18 amogh2019 appsmithguru pric-appsmith sunil-codemonk abhiappsmith ajinkyakulkarni Cool-Runningz akbansa ArjobanSingh bharat-patodi Bhavin789 bhuvanaindukuri donno2048 jacobwgillespie reachtokish nuwan94 OmkarPh parthiv11 priyanka-mahour rafaeelaudibert samyakjain10 Jain-Sanchit irfan-ansari-au28 sheetal2001p Hard-Coder05 vj-codes knockknockyoo jdun28 alphaX86 aanchal-fatwani monarch0111 abhishekS14 adarshlilha avats-dev visibleajay blenderskool AlekSi alzaar heroic AJ-72 apoorv-mishra anvaravind ari-hacks arunstar ashwanisindhu1 ayushkumarbhadani Caitlin-Fotheringham Chiradeep-Banik chrismaeda CommanderRoot DevSnap digvijaysinghh DiptoChakrabarty felixsuarez0727 gitstart Gretel8 danguilherme harshmange44 indrajitbnikam ishaanmehta4 jaikanthjay46 jarimayenburg JarLob JeffResc jmakhack jlund jrcamelo khoahuynhdev kylegalbraith loiscodes jk2K micarner me-heer MuhammadAakash dammahhammad moulik-deepsource Nandanha wasabigeek nipun1999 nishihere19 Nitesh2905 eagleera NoxiousPenguin palashkaria pallavagarwal07 paususe neok sanchezpili6 pushkar1393 imor ricardocarrola RishiKumarRay Rooney30 Saket2 Sheikh-JamirAlam withshubh smrutiparida somnathdasadhikari srijanshetty Sufiyan1997 rayrny trishitapingolia trivikr webdott vasanthkumar18 VanshajPoonia vedant-pandey torcoste vvkpd yasharma2301 Yash-Bhange YogeshJayaseelan Ian-Yy danceAndJive devnamrits deepakchethan IAmAnubhavSaini gokuatkai Jackenmen Mrxyy zimkjh kyteinsky lifeneedspassion nikhil-babar nupur-singhal1992 nzidol onifs10 ps-xaf

License

Appsmith is licensed under the terms of Apache License 2.0.