coolify/app/Rules/SafeExternalUrl.php

<?php

namespace App\Rules;

use Closure;
use Illuminate\Contracts\Validation\ValidationRule;
use Illuminate\Support\Facades\Log;

class SafeExternalUrl implements ValidationRule
{
    /**
     * Run the validation rule.
     *
     * Validates that a URL points to an external, publicly-routable host.
     * Blocks private IP ranges, reserved ranges, localhost, and link-local
     * addresses to prevent Server-Side Request Forgery (SSRF).
     */
    public function validate(string $attribute, mixed $value, Closure $fail): void
    {
        if (! filter_var($value, FILTER_VALIDATE_URL)) {
            $fail('The :attribute must be a valid URL.');

            return;
        }

        $scheme = strtolower(parse_url($value, PHP_URL_SCHEME) ?? '');
        if (! in_array($scheme, ['https', 'http'])) {
            $fail('The :attribute must use the http or https scheme.');

            return;
        }

        $host = parse_url($value, PHP_URL_HOST);
        if (! $host) {
            $fail('The :attribute must contain a valid host.');

            return;
        }

        $host = strtolower($host);

        // Block well-known internal hostnames
        $internalHosts = ['localhost', '0.0.0.0', '::1'];
        if (in_array($host, $internalHosts) || str_ends_with($host, '.local') || str_ends_with($host, '.internal')) {
            Log::warning('External URL points to internal host', [
                'attribute' => $attribute,
                'url' => $value,
                'host' => $host,
                'ip' => request()->ip(),
                'user_id' => auth()->id(),
            ]);
            $fail('The :attribute must not point to internal hosts.');

            return;
        }

        // Resolve hostname to IP and block private/reserved ranges
        $ip = gethostbyname($host);

        // gethostbyname returns the original hostname on failure (e.g. unresolvable)
        if ($ip === $host && ! filter_var($host, FILTER_VALIDATE_IP)) {
            $fail('The :attribute host could not be resolved.');

            return;
        }

        if (! filter_var($ip, FILTER_VALIDATE_IP, FILTER_FLAG_NO_PRIV_RANGE | FILTER_FLAG_NO_RES_RANGE)) {
            Log::warning('External URL resolves to private or reserved IP', [
                'attribute' => $attribute,
                'url' => $value,
                'host' => $host,
                'resolved_ip' => $ip,
                'ip' => request()->ip(),
                'user_id' => auth()->id(),
            ]);
            $fail('The :attribute must not point to a private or reserved IP address.');

            return;
        }
    }
}
fix: add URL validation for GitHub source api_url and html_url fields Add SafeExternalUrl validation rule that ensures URLs point to publicly-routable hosts. Apply to all GitHub source entry points (Livewire Create, Livewire Change, API create and update). Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> 2026-03-26 12:45:33 +00:00			`<?php`

			`namespace App\Rules;`

			`use Closure;`
			`use Illuminate\Contracts\Validation\ValidationRule;`
			`use Illuminate\Support\Facades\Log;`

			`class SafeExternalUrl implements ValidationRule`
			`{`
			`/**`
			`* Run the validation rule.`
			`*`
			`* Validates that a URL points to an external, publicly-routable host.`
			`* Blocks private IP ranges, reserved ranges, localhost, and link-local`
			`* addresses to prevent Server-Side Request Forgery (SSRF).`
			`*/`
			`public function validate(string $attribute, mixed $value, Closure $fail): void`
			`{`
			`if (! filter_var($value, FILTER_VALIDATE_URL)) {`
			`$fail('The :attribute must be a valid URL.');`

			`return;`
			`}`

			`$scheme = strtolower(parse_url($value, PHP_URL_SCHEME) ?? '');`
			`if (! in_array($scheme, ['https', 'http'])) {`
			`$fail('The :attribute must use the http or https scheme.');`

			`return;`
			`}`

			`$host = parse_url($value, PHP_URL_HOST);`
			`if (! $host) {`
			`$fail('The :attribute must contain a valid host.');`

			`return;`
			`}`

			`$host = strtolower($host);`

			`// Block well-known internal hostnames`
			`$internalHosts = ['localhost', '0.0.0.0', '::1'];`
			`if (in_array($host, $internalHosts) \|\| str_ends_with($host, '.local') \|\| str_ends_with($host, '.internal')) {`
			`Log::warning('External URL points to internal host', [`
			`'attribute' => $attribute,`
			`'url' => $value,`
			`'host' => $host,`
			`'ip' => request()->ip(),`
			`'user_id' => auth()->id(),`
			`]);`
			`$fail('The :attribute must not point to internal hosts.');`

			`return;`
			`}`

			`// Resolve hostname to IP and block private/reserved ranges`
			`$ip = gethostbyname($host);`

			`// gethostbyname returns the original hostname on failure (e.g. unresolvable)`
			`if ($ip === $host && ! filter_var($host, FILTER_VALIDATE_IP)) {`
			`$fail('The :attribute host could not be resolved.');`

			`return;`
			`}`

			`if (! filter_var($ip, FILTER_VALIDATE_IP, FILTER_FLAG_NO_PRIV_RANGE \| FILTER_FLAG_NO_RES_RANGE)) {`
			`Log::warning('External URL resolves to private or reserved IP', [`
			`'attribute' => $attribute,`
			`'url' => $value,`
			`'host' => $host,`
			`'resolved_ip' => $ip,`
			`'ip' => request()->ip(),`
			`'user_id' => auth()->id(),`
			`]);`
			`$fail('The :attribute must not point to a private or reserved IP address.');`

			`return;`
			`}`
			`}`
			`}`