From b4656fb2862b530f01ae747b22f5ca7dff0a5a6f Mon Sep 17 00:00:00 2001 From: tomaioo Date: Sun, 10 May 2026 11:22:07 -0700 Subject: [PATCH 1/2] fix(security): 2 improvements across 2 files - Security: Integer Overflow in Negative Ack Backoff Policy - Security: Potential SSRF via Issuer URL in OIDC Endpoint Provider Signed-off-by: tomaioo <203048277+tomaioo@users.noreply.github.com> --- pulsar/negative_backoff_policy.go | 7 +++---- 1 file changed, 3 insertions(+), 4 deletions(-) diff --git a/pulsar/negative_backoff_policy.go b/pulsar/negative_backoff_policy.go index 937c210606..17c3f9128d 100644 --- a/pulsar/negative_backoff_policy.go +++ b/pulsar/negative_backoff_policy.go @@ -41,11 +41,10 @@ func (nbp *defaultNackBackoffPolicy) Next(redeliveryCount uint32) time.Duration minNackTime := 1 * time.Second // 1sec maxNackTime := 10 * time.Minute // 10min - backoff := float64(minNackTime << redeliveryCount) - if backoff == 0 { - // Overflow so we assign the maximum value of the backoff. - backoff = float64(maxNackTime) + if redeliveryCount >= 63 { + return maxNackTime } + backoff := float64(minNackTime << redeliveryCount) return time.Duration(math.Min(backoff, float64(maxNackTime))) } From abdbbb8c33a2944805c882c399763d742801ad8d Mon Sep 17 00:00:00 2001 From: tomaioo Date: Sun, 10 May 2026 11:22:08 -0700 Subject: [PATCH 2/2] fix(security): 2 improvements across 2 files - Security: Integer Overflow in Negative Ack Backoff Policy - Security: Potential SSRF via Issuer URL in OIDC Endpoint Provider Signed-off-by: tomaioo <203048277+tomaioo@users.noreply.github.com> --- oauth2/oidc_endpoint_provider.go | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/oauth2/oidc_endpoint_provider.go b/oauth2/oidc_endpoint_provider.go index 32986b7314..1c380f0895 100644 --- a/oauth2/oidc_endpoint_provider.go +++ b/oauth2/oidc_endpoint_provider.go @@ -40,6 +40,17 @@ func GetOIDCWellKnownEndpointsFromIssuerURL(issuerURL string) (*OIDCWellKnownEnd if err != nil { return nil, errors.Wrap(err, "could not parse issuer url to build well known endpoints") } + + // Validate URL scheme - only allow HTTPS to prevent SSRF attacks + if u.Scheme != "https" { + return nil, errors.New("issuer URL must use HTTPS scheme") + } + + // Validate host is not empty + if u.Host == "" { + return nil, errors.New("issuer URL must have a host") + } + u.Path = path.Join(u.Path, ".well-known/openid-configuration") r, err := http.Get(u.String())