Skip to content

fix: constrain Slack response posts to allowed host#37

Merged
saagpatel merged 3 commits into
mainfrom
codex/fix-slack-response-url
May 18, 2026
Merged

fix: constrain Slack response posts to allowed host#37
saagpatel merged 3 commits into
mainfrom
codex/fix-slack-response-url

Conversation

@saagpatel

@saagpatel saagpatel commented May 18, 2026

Copy link
Copy Markdown
Owner

What

  • Routes Slack response_url posts through a fixed Slack host after allowlisting the incoming URL.
  • Keeps dynamic response_url data limited to the allowed Slack path/query.

Why

  • Clears the remaining critical CodeQL SSRF finding after the prior Slack URL validation change.

How

  • Converts validated Slack response URLs into relative request paths and uses an httpx client with a constant base URL.

Testing

  • uv run ruff check .
  • uv run pytest tests/test_slack_ack.py

Performance Impact

  • None expected.

Risk / Notes

  • Low risk; behavior stays scoped to Slack response_url callbacks, with invalid hosts still skipped.

github-advanced-security[bot]
github-advanced-security AI found potential problems May 18, 2026
View reviewed changes
Comment thread backend/app/router_slack.py Fixed
@saagpatel saagpatel merged commit 6b7a49c into main May 18, 2026
4 checks passed
@saagpatel saagpatel deleted the codex/fix-slack-response-url branch May 18, 2026 17:06
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

1 more reviewer

@github-advanced-security github-advanced-security[bot] github-advanced-security[bot] left review comments

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@saagpatel @github-advanced-security