Why is this an issue?
In internal/core/services/cron_worker.go:74, TargetURL is used directly in HTTP requests without validation. Attackers can schedule cron jobs to hit internal endpoints.
What is causing it?
req, err := http.NewRequestWithContext(ctx, job.TargetMethod, job.TargetURL, ...)
How can it be solved?
Add URL validation like Gateway SSRF fix - block private IP ranges and cloud metadata endpoints.
Category
Severity
Why is this an issue?
In
internal/core/services/cron_worker.go:74, TargetURL is used directly in HTTP requests without validation. Attackers can schedule cron jobs to hit internal endpoints.What is causing it?
How can it be solved?
Add URL validation like Gateway SSRF fix - block private IP ranges and cloud metadata endpoints.
Category
Severity