fix(auth): Fix improper regex during auth that can lead to SSRF

Author: j-luong

cliv2/go.mod

@@ -18,7 +18,7 @@ require (
 	github.com/snyk/cli-extension-sbom v0.0.0-20250801142135-ae472dafa4cd
 	github.com/snyk/container-cli v0.0.0-20250321132345-1e2e01681dd7
 	github.com/snyk/error-catalog-golang-public v0.0.0-20250812140843-a01d75260003
-	github.com/snyk/go-application-framework v0.0.0-20250827114158-979c983b5beb
+	github.com/snyk/go-application-framework v0.0.0-20250828183950-34b0aa676be8
 	github.com/snyk/go-httpauth v0.0.0-20240307114523-1f5ea3f55c65
 	github.com/snyk/snyk-iac-capture v0.6.5
 	github.com/snyk/snyk-ls v0.0.0-20250826112710-2b9103023173

cliv2/go.sum

@@ -1301,8 +1301,8 @@ github.com/snyk/container-cli v0.0.0-20250321132345-1e2e01681dd7 h1:/2+2piwQtB9f
 github.com/snyk/container-cli v0.0.0-20250321132345-1e2e01681dd7/go.mod h1:38w+dcAQp9eG3P5t2eNS9eG0reut10AeJjLv5lJ5lpM=
 github.com/snyk/error-catalog-golang-public v0.0.0-20250812140843-a01d75260003 h1:qeXih9sVe/WvhccE3MfEgglnSVKN1xTQBcsA/N96Kzo=
 github.com/snyk/error-catalog-golang-public v0.0.0-20250812140843-a01d75260003/go.mod h1:Ytttq7Pw4vOCu9NtRQaOeDU2dhBYUyNBe6kX4+nIIQ4=
-github.com/snyk/go-application-framework v0.0.0-20250827114158-979c983b5beb h1:7Ul0tCIguoSCuZ1kLGj7e7Yt5YRBYRDHDMHXhLEeX20=
-github.com/snyk/go-application-framework v0.0.0-20250827114158-979c983b5beb/go.mod h1:BcHDVsw0EkwisckVp8qVItO1eqI98fMrb61GCGr7ERM=
+github.com/snyk/go-application-framework v0.0.0-20250828183950-34b0aa676be8 h1:TXM70Bs8vu3mNhvOIXKd2ZnT9gqL6egIW+m4WWoiYYY=
+github.com/snyk/go-application-framework v0.0.0-20250828183950-34b0aa676be8/go.mod h1:BcHDVsw0EkwisckVp8qVItO1eqI98fMrb61GCGr7ERM=
 github.com/snyk/go-httpauth v0.0.0-20240307114523-1f5ea3f55c65 h1:CEQuYv0Go6MEyRCD3YjLYM2u3Oxkx8GpCpFBd4rUTUk=
 github.com/snyk/go-httpauth v0.0.0-20240307114523-1f5ea3f55c65/go.mod h1:88KbbvGYlmLgee4OcQ19yr0bNpXpOr2kciOthaSzCAg=
 github.com/snyk/policy-engine v0.33.2 h1:ZxD6/RQ4vqUAXa64V72SsGjZ8vmnBgZNGYQxMIqctYo=

scripts/upgrade-snyk-go-dependencies.go

@@ -85,6 +85,9 @@ func getLatestCommitSHA(name string) (string, error) {
 }
 
 func upgradeGoMod(name, commitSHA string) error {
+	fmt.Println("🔍 Upgrading: ", name)
+	fmt.Println("🔍 Commit SHA: ", commitSHA)
+
 	cmd := exec.Command("go", "get", fmt.Sprintf("github.com/snyk/%s@%s", name, commitSHA))
 	cmd.Dir = "./cliv2"
 	if err := cmd.Run(); err != nil {
@@ -102,13 +105,18 @@ func upgradeGoMod(name, commitSHA string) error {
 	return nil
 }
 
-func upgradeDep(name string) error {
-	commitSHA, err := getLatestCommitSHA(name)
-	if err != nil {
-		return err
+func upgradeDep(name string, commit string) error {
+	var err error
+
+	if commit == "" {
+		fmt.Println("🔍 No commit SHA provided, fetching latest commit...")
+		commit, err = getLatestCommitSHA(name)
+		if err != nil {
+			return err
+		}
 	}
 
-	if err := upgradeGoMod(name, commitSHA); err != nil {
+	if err := upgradeGoMod(name, commit); err != nil {
 		return err
 	}
 
@@ -117,17 +125,18 @@ func upgradeDep(name string) error {
 
 func main() {
 	name := flag.String("name", "", "Repository name to download from (e.g., go-application-framework)")
+	commit := flag.String("commit", "", "Commit SHA to upgrade to")
 	flag.Parse()
 
 	if *name == "" {
-		if err := upgradeDep("go-application-framework"); err != nil {
+		if err := upgradeDep("go-application-framework", ""); err != nil {
 			fmt.Printf("An error occurred: %v\n", err)
 		}
-		if err := upgradeDep("snyk-ls"); err != nil {
+		if err := upgradeDep("snyk-ls", ""); err != nil {
 			fmt.Printf("An error occurred: %v\n", err)
 		}
 	} else {
-		if err := upgradeDep(*name); err != nil {
+		if err := upgradeDep(*name, *commit); err != nil {
 			fmt.Printf("An error occurred: %v\n", err)
 		}
 	}

test/jest/acceptance/auth.spec.ts

@@ -122,6 +122,8 @@ describe('Auth', () => {
           ...env,
           // SNYK_API will actually be used up until the auth workflow
           SNYK_API: 'https://api.this.should.not.be.used.io',
+          // override the auth host regex check, else fakeServerHost will be rejected
+          INTERNAL_OAUTH_ALLOWED_HOSTS: '.*',
         },
       });
 
@@ -130,6 +132,8 @@ describe('Auth', () => {
       const configCmd = await runSnykCLI('config get api', {
         env: {
           ...env,
+          // override the auth host regex check, else fakeServerHost will be rejected
+          INTERNAL_OAUTH_ALLOWED_HOSTS: '.*',
         },
       });
       expect(configCmd.code).toEqual(0);
@@ -144,6 +148,8 @@ describe('Auth', () => {
       const authCmd = await runSnykCLI(`auth ${pat} -d`, {
         env: {
           ...envBackup,
+          // override the auth host regex check, else fakeServerHost will be rejected
+          INTERNAL_OAUTH_ALLOWED_HOSTS: '.*',
         },
       });
 
@@ -152,6 +158,8 @@ describe('Auth', () => {
       const configCmd = await runSnykCLI('config get api', {
         env: {
           ...envBackup,
+          // override the auth host regex check, else fakeServerHost will be rejected
+          INTERNAL_OAUTH_ALLOWED_HOSTS: '.*',
         },
       });
       expect(configCmd.code).toEqual(0);

test/jest/acceptance/pat.spec.ts

@@ -21,6 +21,8 @@ describe('PAT', () => {
       ...process.env,
       SNYK_TOKEN: pat,
       SNYK_DISABLE_ANALYTICS: '1',
+      // override the auth host regex check, else host will be rejected
+      INTERNAL_OAUTH_ALLOWED_HOSTS: '.*',
     };
 
     server = fakeServer(apiPath, env.SNYK_TOKEN);