• Home
  • Features
  • Pricing
  • Docs
  • Announcements
  • Sign In

ukeeper / ukeeper-readability
78%
master: 78%

Build:
Build:
LAST BUILD BRANCH: fix/docker-gha-cache
DEFAULT BRANCH: master
Repo Added 24 Apr 2022 10:34PM UTC
Token PvVP7XZODHNMukB1VLWbVHHC4V09CWSI6 regen
Build 273 Last
Files 9
Badge
Embed ▾
README BADGES
x

If you need to use a raster PNG badge, change the '.svg' to '.png' in the link

Markdown

Textile

RDoc

HTML

Rst

LAST BUILD ON BRANCH fix/ssrf-ip-guard
branch: fix/ssrf-ip-guard
CHANGE BRANCH
x
Reset
Sync Branches
  • fix/ssrf-ip-guard
  • ci-dockerhub-soft-fail
  • ci/workflow-hardening
  • cleaner_frontend_structure
  • dependabot/docker/node-22
  • dependabot/github_actions/github-actions-updates-14cb627f6c
  • dependabot/github_actions/github-actions-updates-1ee787ebfb
  • dependabot/github_actions/github-actions-updates-5714300483
  • dependabot/github_actions/github-actions-updates-640176b5ab
  • dependabot/github_actions/github-actions-updates-7aa8621bec
  • dependabot/github_actions/github-actions-updates-afd9e15987
  • dependabot/go_modules/backend/go-modules-updates-08b33d1c25
  • dependabot/go_modules/backend/go-modules-updates-0bc617739e
  • dependabot/go_modules/backend/go-modules-updates-407dd4786b
  • dependabot/go_modules/backend/go-modules-updates-5e29427af7
  • dependabot/go_modules/backend/go-modules-updates-5e519fa3dd
  • dependabot/go_modules/backend/go-modules-updates-71a6db2b89
  • dependabot/go_modules/backend/go-modules-updates-751992312c
  • dependabot/go_modules/backend/go-modules-updates-a616c34cc0
  • dependabot/go_modules/backend/go-modules-updates-c1eb5b8ad9
  • dependabot/go_modules/backend/go-modules-updates-c2169da76e
  • dependabot/go_modules/backend/go-modules-updates-d01d85479d
  • dependabot/go_modules/backend/go-modules-updates-d6af324dbd
  • dependabot/go_modules/backend/go-modules-updates-ec788c1f9d
  • dependabot/go_modules/backend/go-modules-updates-f885172778
  • dependabot/go_modules/backend/golang.org/x/crypto-0.31.0
  • dependabot/go_modules/backend/golang.org/x/net-0.36.0
  • dependabot/go_modules/go-modules-updates-0b36ab2f83
  • dependabot/npm_and_yarn/frontend/npm-development-modules-updates-89027bf77e
  • dependabot/npm_and_yarn/frontend/npm-development-modules-updates-e6f6ae78c6
  • deps/update-latest-go1.25
  • fix-cf-maxretries-doc
  • fix-top3-review
  • fix/docker-gha-cache
  • fix/image-fetch-streaming
  • fix/textarea-crlf
  • generic-updates
  • htmx
  • master
  • modularise-retrieval
  • openai-auto-extraction
  • openai_rules_generator
  • openai_rules_improver
  • paskal/bump_modules
  • paskal/clarify_comment
  • paskal/cleanup_readme
  • paskal/fix_build
  • paskal/improve_docker_compose
  • paskal/index_to_htmx
  • paskal/migrate_to_htmx
  • paskal/offline_tests
  • paskal/remove_edit_html
  • paskal/return_rule_id_on_update
  • paskal/safe_password_check
  • refs/tags/v0.1.0
  • refs/tags/v0.1.1
  • refs/tags/v0.1.2
  • refs/tags/v0.2.0
  • remove-jquery
  • remove_chi
  • typos_fixes
  • umputun/add-chatgpt-endpoints
  • update-deps-2026-04-11
  • worktree-ci-hardening

04 Jul 2026 12:03PM UTC coverage: 77.85% (-0.1%) from 77.947%
28705617872

Pull #83

github

paskal
Block SSRF to non-public addresses via connect-time IP guard

POST /api/extract is unauthenticated and the extractor fetched any URL it
was given with no host validation, so a caller could reach
http://169.254.169.254/... (cloud metadata), localhost and other internal
hosts; image extraction amplified it by following <img src> into more
internal fetches.

The page retriever and image fetcher reject targets that resolve to
loopback, private, link-local, unspecified, multicast and other IANA
special-purpose ranges (0.0.0.0/8, CGNAT, benchmarking, documentation,
reserved, broadcast) via a net.Dialer Control hook that checks the actual
IP at connect time, so it also covers redirect-to-internal and DNS
rebinding; the guarded transport disables env proxies so validation can't
be bypassed through a proxy. extractWithRules additionally validates the
resolved host up front, so the Cloudflare path (which fetches remotely and
isn't covered by the dialer) enforces the same policy.

Image probes share a single lazily-built client (and its guarded transport)
rather than constructing one per <img>, so enabling the guard by default
doesn't churn transports/FDs; the probe request no longer forces
Connection: close, letting the shared client reuse connections.

Enabled by default; operators opt out with --allow-private-networks for
trusted intranet extraction. The default HTTPRetriever inherits the flag
from UReadability so package-level callers are guarded too.
Pull Request #83: Block SSRF to non-public addresses via connect-time IP guard

81 of 101 new or added lines in 5 files covered. (80.2%)

833 of 1070 relevant lines covered (77.85%)

9.26 hits per line

Relevant lines Covered
Build:
Build:
1070 RELEVANT LINES 833 COVERED LINES
9.26 HITS PER LINE
Source Files on fix/ssrf-ip-guard
  • Tree
  • List 10
  • Changed 4
  • Source Changed 0
  • Coverage Changed 4
Coverage ∆ File Lines Relevant Covered Missed Hits/Line

Recent builds

Builds Branch Commit Type Ran Committer Via Coverage
28705617872 fix/ssrf-ip-guard Block SSRF to non-public addresses via connect-time IP guard POST /api/extract is unauthenticated and the extractor fetched any URL it was given with no host validation, so a caller could reach http://169.254.169.254/... (cloud metadata), localho... Pull #83 04 Jul 2026 12:04PM UTC paskal github
77.85
28681422902 fix/ssrf-ip-guard Block SSRF to non-public addresses via connect-time IP guard POST /api/extract is unauthenticated and the extractor fetched any URL it was given with no host validation, so a caller could reach http://169.254.169.254/... (cloud metadata), localho... Pull #83 03 Jul 2026 08:11PM UTC paskal github
77.83
28681139181 fix/ssrf-ip-guard Block SSRF to non-public addresses via connect-time IP guard POST /api/extract is unauthenticated and the extractor fetched any URL it was given with no host validation, so a caller could reach http://169.254.169.254/... (cloud metadata), localho... Pull #83 03 Jul 2026 08:04PM UTC paskal github
77.77
See All Builds (213)

Badge your Repo: ukeeper-readability

We detected this repo isn’t badged! Grab the embed code to the right, add it to your repo to show off your code coverage, and when the badge is live hit the refresh button to remove this message.

Could not find badge in README.

Embed ▾
README BADGES
x

If you need to use a raster PNG badge, change the '.svg' to '.png' in the link

Markdown

Textile

RDoc

HTML

Rst

Refresh
  • Settings
  • Repo on GitHub
STATUS · Troubleshooting · Open an Issue · Sales · Support · CAREERS · ENTERPRISE · START FREE · SCHEDULE DEMO
ANNOUNCEMENTS · TWITTER · TOS & SLA · Supported CI Services · What's a CI service? · Automated Testing

© 2026 Coveralls, Inc