Skip to content

Update sharkord-rss to v0.1.1 (security fixes)#6

Merged
diogomartino merged 1 commit into
Sharkord:mainfrom
EssekerDev:add-sharkord-rss
May 26, 2026
Merged

Update sharkord-rss to v0.1.1 (security fixes)#6
diogomartino merged 1 commit into
Sharkord:mainfrom
EssekerDev:add-sharkord-rss

Conversation

@EssekerDev

Copy link
Copy Markdown
Contributor

sharkord-rss v0.1.1 — security patch over v0.1.0

This PR replaces the previously published v0.1.0 (PR #5) with v0.1.1, which fixes three security issues found shortly after the initial merge. The vulnerable versions/0.1.0.json is removed in the same diff so users can no longer install the buggy version from the marketplace.

🔒 Security fixes vs v0.1.0

  • SSRF bypass — RFC 6598 CGN range. isPrivateIPv4 did not block 100.64.0.0/10, leaving cloud-provider metadata endpoints (e.g. Alibaba's 100.100.100.200) reachable. Now rejected.
  • Feed-of-death via giant HTML entity. A feed containing &#999999999999; triggered an unhandled RangeError in String.fromCodePoint, DoS-stopping the article parse. Numeric entities are now clamped to the valid Unicode range (<= 0x10FFFF).
  • IPv6 loopback in uncompressed form. 0:0:0:0:0:0:0:1 and 0000::1 were not detected as loopback. Added a ::-aware expander so every textual form is rejected.

🩹 Reliability / DX improvements

  • Channel validity checks in syncFeedsFromSettings now run in parallel via Promise.all.
  • Single source of truth for "valid public HTTP(S) URL" shared between settings save and per-redirect checks (validatePublicHttpUrl).
  • response.on('error') wraps in FeedError so every fetchOnce rejection carries a stable .code.
  • Scheduler tick reduced from 60 s to 10 s so admin dialog saves are picked up much faster (Sharkord's admin dialog does not emit setting:set, so we rely on the tick).

🧪 Tests

50 unit tests added (bun test) covering the security-critical helpers — including explicit regression cases for the three issues above. Pass on Bun 1.3.x.

🗑 Files changed

  • plugins/sharkord-rss/versions/0.1.0.jsonremoved (vulnerable; no longer reachable from the marketplace)
  • plugins/sharkord-rss/versions/0.1.1.jsonadded

@EssekerDev EssekerDev closed this May 25, 2026
@EssekerDev EssekerDev reopened this May 25, 2026
@diogomartino diogomartino merged commit 421865d into Sharkord:main May 26, 2026
5 of 6 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants