backport: harden outbound fetches on release/1.4.0

[Doezer]

Summary

• Backport the useful security hardening from 🛡️ Sentinel: [HIGH] Fix SSRF vulnerabilities by using safeFetch #640 into
  elease/1.4.0
• Replace remaining direct outbound etch calls in server/igdb.ts, server/routes.ts, and downloader clients with safeFetch
• Address the review feedback from 🛡️ Sentinel: [HIGH] Fix SSRF vulnerabilities by using safeFetch #640 by preserving bracketed IPv6 literal support and pinning SABnzbd SSL-fallback requests to the validated IP
• Add targeted regression coverage for IPv6-safe fetches and SABnzbd insecure SSL fallback

Review notes

• Included from 🛡️ Sentinel: [HIGH] Fix SSRF vulnerabilities by using safeFetch #640: high-utility SSRF hardening that is appropriate for a release branch
• Not included from ⚡ Bolt: Optimize discover page local games parsing #639: performance-only discover-page refactor; low release value and it still had open review concerns around igdbId falsy handling and incomplete optimization (hiddenGames still recomputed separately)

[gemini-code-assist]

Code Review

This pull request refactors the SSRF protection mechanism by introducing a centralized resolveSafeAddress helper and a normalizeHostname utility in server/ssrf.ts. It updates several instances of standard fetch to use safeFetch across server/downloaders.ts, server/igdb.ts, and server/routes.ts, and adds corresponding tests for bracketed IPv6 literals and SSL fallback. The review feedback highlights several improvement opportunities: handling options.signal and calculating Content-Length in the custom fetchInsecure method, preserving the original error cause in resolveSafeAddress, and explicitly setting allowPrivate: false for external API requests (IGDB and Discord webhooks) as a defense-in-depth measure against SSRF.

[gemini-code-assist]

In fetchInsecure, the custom https.request implementation has two issues:

1. Ignoring options.signal: Timeout or abort signals set by the caller (e.g., AbortSignal.timeout) are ignored, which can lead to hung requests. We should pass signal: options.signal to https.request.
2. Missing Content-Length: Unlike standard fetch, https.request does not automatically calculate the Content-Length header for Buffer or string bodies. This can cause some self-hosted downloaders to reject the request with 411 Length Required or hang. We should calculate and set Content-Length if options.body is present and not already set.

  private async fetchInsecure(url: string, options: RequestInit): Promise<Response> {
    const parsedUrl = new URL(url);
    const { address, family } = await resolveSafeAddress(parsedUrl.hostname, true);
    const safeUrl = new URL(url);
    safeUrl.hostname = family === 6 ? `[${address}]` : address;

    const headers = new Headers(options.headers || {});
    headers.set("Host", parsedUrl.hostname);

    if (options.body && !headers.has("content-length")) {
      if (typeof options.body === "string") {
        headers.set("content-length", String(Buffer.byteLength(options.body)));
      } else if (Buffer.isBuffer(options.body) || options.body instanceof Uint8Array) {
        headers.set("content-length", String(options.body.byteLength));
      }
    }

    return new Promise((resolve, reject) => {
      const req = https.request(
        safeUrl.toString(),
        {
          method: options.method || "GET",
          headers: Object.fromEntries(headers.entries()) as import("http").OutgoingHttpHeaders,
          rejectUnauthorized: false,
          timeout: 30000,
          signal: options.signal,
        },

[gemini-code-assist]

In resolveSafeAddress, when dns.lookup fails, the catch block throws a generic error: throw new Error("Failed to resolve hostname: ...");. This discards the original error's details (such as ENOTFOUND or EAI_AGAIN), making troubleshooting and logging difficult.

We should preserve the original error by passing it as the cause option in the Error constructor.

Suggested change

	} catch (error) {
	if (error instanceof Error && error.message === "Invalid or unsafe URL") {
	throw error;
	}
	throw new Error(`Failed to resolve hostname: ${normalizedHostname}`);
	}
	} catch (error) {
	if (error instanceof Error && error.message === "Invalid or unsafe URL") {
	throw error;
	}
	throw new Error(`Failed to resolve hostname: ${normalizedHostname}`, { cause: error });
	}

[gemini-code-assist]

Since IGDB is a public external API, we should explicitly set allowPrivate: false in the safeFetch options as a defense-in-depth measure. This prevents potential SSRF or DNS rebinding attacks targeting internal/private networks if the external domain's DNS is manipulated or hijacked.

    const response = await safeFetch(
      `https://id.twitch.tv/oauth2/token?client_id=${clientId}&client_secret=${clientSecret}&grant_type=client_credentials`,
      {
        method: "POST",
        allowPrivate: false,

References

1. For defense-in-depth against Server-Side Request Forgery (SSRF), re-validate external URLs immediately before they are used, even if they were validated when saved.

[gemini-code-assist]

Similar to the authentication request, we should explicitly set allowPrivate: false in the safeFetch options for the IGDB API endpoint to prevent SSRF targeting internal/private networks.

Suggested change

	const response = await safeFetch(`https://api.igdb.com/v4/${endpoint}`, {
	method: "POST",
	headers: {
	Accept: "application/json",
	const response = await safeFetch(`https://api.igdb.com/v4/${endpoint}`, {
	method: "POST",
	allowPrivate: false,
	headers: {
	Accept: "application/json",

References

1. For defense-in-depth against Server-Side Request Forgery (SSRF), re-validate external URLs immediately before they are used, even if they were validated when saved.

[gemini-code-assist]

Since the Discord webhook is a public external service, we should explicitly set allowPrivate: false in the safeFetch options as a defense-in-depth measure. This prevents potential SSRF or DNS rebinding attacks targeting internal/private networks if the webhook URL's DNS is manipulated or hijacked.

Suggested change

	const discordRes = await safeFetch(webhookUrl, { method: "POST", body: formData });
	const discordRes = await safeFetch(webhookUrl, { method: "POST", body: formData, allowPrivate: false });

References

1. For defense-in-depth against Server-Side Request Forgery (SSRF), re-validate external URLs immediately before they are used, even if they were validated when saved.

[codecov]

Codecov Report

❌ Patch coverage is 97.36842% with 1 line in your changes missing coverage. Please review.
✅ All tests successful. No failed tests found.

Files with missing lines	Patch %	Lines
server/ssrf.ts	96.29%	1 Missing ⚠️

📢 Thoughts on this report? Let us know!

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 132a0f7cb1

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[chatgpt-codex-connector]

Preserve the original TLS server name when pinning SAB requests

For HTTPS SABnzbd instances with self-signed certs behind a TLS virtual host or reverse proxy, this retry now connects to the resolved IP address, but the request options never set servername back to parsedUrl.hostname. Node does not use a hostname SNI value when the connection target is an IP, so those servers can present the default certificate or reject the handshake before the Host header is used; the previous retry connected to the original hostname and preserved SNI. Please pass the original hostname as the TLS servername when using safeUrl.toString().

Useful? React with 👍 / 👎.

[sonarqubecloud]

Quality Gate failed

Failed conditions
2 Security Hotspots

See analysis details on SonarQube Cloud