Logflare / logflare / 1bd038deb3eaae3540ba840b56494482db9b9723
82%

DEFAULT BRANCH: main
Ran
Jobs 1
Files 487
Run time 2min
Badge
Embed ▾
README BADGES
x

If you need to use a raster PNG badge, change the '.svg' to '.png' in the link

Markdown

Textile

RDoc

HTML

Rst
coverage: 81.664% (-0.001%) from 81.665%
1bd038deb3eaae3540ba840b56494482db9b9723

push

github

web-flow 
Configurable endpoint for S3 Adaptor (#3520)

* feat: Add configurable S3 endpoint

* feat: validate S3 endpoint against SSRF

Add SSRF protection for the configurable S3 endpoint by rejecting
endpoints that resolve to private or reserved IP addresses, plus tests.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>

* feat: gate S3 custom endpoint behind provider allowlist

Replace the IP-denylist SSRF check on the S3 endpoint with a hostname
allowlist gated by tenancy. The previous approach resolved the host but
passed the hostname to the FSS.S3 client, which re-resolves DNS itself,
leaving a DNS-rebinding/dual-stack TOCTOU window. An allowlist of known
S3-compatible providers removes the attacker's control over DNS, which is
the precondition for the bypass.

- Multi-tenant: endpoint host must match a trusted provider suffix
- Single-tenant: any endpoint allowed (operator trusts own infra)
- Remove the runtime check_no_ssrf!/1 raise; validation lives at
  config-save time and test_connection/1 keeps its :ok | {:error, term()}
  contract

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>

* feat: gate S3 endpoint SSRF allowlist behind env var instead of tenancy

Replace the single-tenant gating of the S3 custom-endpoint allowlist with
an explicit escape-hatch env var, LOGFLARE_UNSAFE_DISABLE_SSRF_S3_ENDPOINT_CHECK.
The allowlist is enforced by default; only an explicit truthy value disables
it, for trusted self-hosted deployments using non-public S3-compatible
storage (e.g. internal MinIO). Documented in the self-hosting env-var table
with an SSRF warning.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>

* feat: Allow Supabase and Tigris S3 endpoints

---------

Co-authored-by: Claude Opus 4.8 <noreply@anthropic.com>

11 of 12 new or added lines in 1 file covered. (91.67%)

1 existing line in 1 file now uncovered.

13468 of 16492 relevant lines covered (81.66%)

5089.65 hits per line

Uncovered Changes

Lines Coverage File
1
44.64
 9.86% lib/logflare/backends/adaptor/s3_adaptor.ex

Coverage Regressions

Lines Coverage File
1
30.77
 -3.85% lib/logflare/sources/source/text_notification_server.ex
Jobs
ID Job ID Ran Files Coverage
1 1bd038deb3eaae3540ba840b56494482db9b9723.1 487
81.66
 GitHub Action Run
Source Files on build 1bd038deb3eaae3540ba840b56494482db9b9723