Skip to content

Harden remote-file ingestion and inbound endpoints #573

Description

@kelvinkipruto

Parent

#572

What to build

Create a safe boundary for Meedan remote downloads and Airtable uploads, and add abuse controls to state-changing inbound endpoints. Downloads must not reach internal networks, uploaded content must match its claimed type, and repeated or replayed requests must be bounded and idempotent.

Acceptance criteria

  • Meedan remote URLs require HTTPS and a configured hostname allowlist.
  • DNS results and every redirect destination reject private, loopback, link-local, and cloud-metadata addresses.
  • Remote downloads have bounded redirect, connection, response, byte, and concurrency limits.
  • Uploads require consistent extension, MIME metadata, and file-signature validation.
  • SVG is removed or sanitized and served from an isolated origin with safe headers.
  • Upload size, rate, concurrency, storage, and cost quotas are documented and enforced.
  • Meedan secret comparison is constant-time and state-changing requests have replay/idempotency protection.
  • Tests cover SSRF variants, redirects, spoofed files, oversized files, replays, and duplicate delivery.

Blocked by

None - can start immediately.

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions