feat(security): implement robust IP validation and safeFetch foundation (#21401)

2026-03-10 14:10:37 -07:00 · 2026-03-09 12:02:07 -07:00
parent b68d7bc0f9
commit e92ccec6c8
16 changed files with 612 additions and 27 deletions
--- a/packages/cli/src/ui/commands/setupGithubCommand.ts
+++ b/packages/cli/src/ui/commands/setupGithubCommand.ts
@@ -120,6 +120,7 @@ async function downloadFiles({
    downloads.push(
      (async () => {
        const endpoint = `${REPO_DOWNLOAD_URL}/refs/tags/${releaseTag}/${SOURCE_DIR}/${fileBasename}`;
+        // eslint-disable-next-line no-restricted-syntax -- TODO: Migrate to safeFetch for SSRF protection
        const response = await fetch(endpoint, {
          method: 'GET',
          dispatcher: proxy ? new ProxyAgent(proxy) : undefined,
--- a/packages/cli/src/utils/gitUtils.ts
+++ b/packages/cli/src/utils/gitUtils.ts
@@ -61,6 +61,7 @@ export const getLatestGitHubRelease = async (

    const endpoint = `https://api.github.com/repos/google-github-actions/run-gemini-cli/releases/latest`;

+    // eslint-disable-next-line no-restricted-syntax -- TODO: Migrate to safeFetch for SSRF protection
    const response = await fetch(endpoint, {
      method: 'GET',
      headers: {