Skip to content

fix: validate turbopuffer_base_url with outbound URL policy#46

Merged
bigint merged 1 commit into
mainfrom
yoginth/fix-unvalidated-turbopuffer-base-url
May 22, 2026
Merged

fix: validate turbopuffer_base_url with outbound URL policy#46
bigint merged 1 commit into
mainfrom
yoginth/fix-unvalidated-turbopuffer-base-url

Conversation

@bigint
Copy link
Copy Markdown
Owner

@bigint bigint commented May 22, 2026

Motivation

  • Prevent an admin-configurable SSRF/exfiltration vector by ensuring turbopuffer_base_url is normalized and validated with the same outbound URL safety policy used for S3 endpoints so settings-test/apply flows cannot contact arbitrary or private endpoints.

Description

  • Apply normalize_url_root (with UnsafeOutboundUrlError handling) to turbopuffer_base_url in validate_setting_value alongside the existing S3 endpoint keys, and update the instance-settings docs to require normalized HTTPS roots that pass outbound safety checks.

Testing

  • Ran lint/format attempts and doc checks: uv run ruff check --fix / uv run ruff format failed due to an external dependency download error, and pnpm exec biome check --write reported the docs path was ignored, so no automated test changes were executed in this environment.

Codex Task

@vercel
Copy link
Copy Markdown

vercel Bot commented May 22, 2026
edited
Loading

The latest updates on your projects. Learn more about Vercel for GitHub.

Project Deployment Actions Updated (UTC)
bigrag Ready Ready Preview May 22, 2026 10:59am

Request Review

@bigint bigint merged commit 19b5ae8 into main May 22, 2026
4 of 6 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

aardvark codex

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@bigint