关键漏洞信息 1. Redirect Validation Description: - The code changes ensure that redirects are validated against the reading configuration. This is essential to prevent redirect injection attacks. - Redirect chains are now validated against the allow list in . Changes: - Added validation logic for redirect chains. - Ensured that only allowed URLs can be redirected to. 2. Break Change in Constructor Description: - The constructor for is now private. - Users must use to create an instance. Reason: - This is likely to enforce proper configuration and validation before instantiation. 3. Path and Host Allow List Description: - The code validates URLs against an allow list for hosts and paths. - If a URL is outside the allow list, it is rejected. Implementation: - Used for path normalization. - Config validations are done through and . 4. URL Reader Service Description: - The class implements . - URL fetching is controlled via configuration and validation. Safety Measures: - Max number of redirects ( ) is set to prevent infinite loops. - Proper error handling for various HTTP statuses. 5. Security Checks Description: - Various security checks are performed, like checking if the URL starts with an allowed path or matches an allowed host. Impact: - Reduces the risk of injecting or accessing unauthorized URLs. `` FetchUrlReader` service. Key improvements include mandatory configuration validation, redirect chain validation, and explicit error handling, all of which mitigate potential vulnerabilities related to URL injection and redirection attacks.