Skip to content

MM-573: Harden dynamic network config and authorization header handling#2026

Open
Divyateja2709 wants to merge 5 commits into
openMF:devfrom
Divyateja2709:pr-2
Open

MM-573: Harden dynamic network config and authorization header handling#2026
Divyateja2709 wants to merge 5 commits into
openMF:devfrom
Divyateja2709:pr-2

Conversation

@Divyateja2709

Copy link
Copy Markdown

hi @therajanmaurya

This PR strengthens network-layer security remediation for MM-573 by hardening how dynamic instance configuration and request headers are handled before outbound API calls.

What changed
Added strict sanitization and fallback handling for dynamic instance values in InstanceConfigManager:
platformTenantId validation and CR/LF stripping
endpoint sanitization
path sanitization
protocol enforcement to secure default (https://) on invalid values
Updated URL construction to use sanitized protocol/host/path for:
main URL
self-service URL
interbank URL
Hardened KtorInterceptor authorization behavior:
sanitize token header value before use
attach Authorization only for HTTPS requests (with local-dev host exceptions)
Added remediation documentation:
docs/security/network-hardening-mm573.md
Security impact
Reduces header injection risk via CR/LF in tenant/token values.
Prevents malformed dynamic instance config from directly shaping unsafe URLs.
Reduces risk of token exposure on insecure transport by restricting auth-header attachment.
Scope
core/network/src/commonMain/kotlin/org/mifospay/core/network/config/InstanceConfigManager.kt
core/network/src/commonMain/kotlin/org/mifospay/core/network/utils/KtorInterceptor.kt
docs/security/network-hardening-mm573.md

@Divyateja2709 Divyateja2709 requested a review from a team May 10, 2026 13:51
@coderabbitai

coderabbitai Bot commented May 10, 2026

Copy link
Copy Markdown
Contributor

Warning

Rate limit exceeded

@Divyateja2709 has exceeded the limit for the number of commits that can be reviewed per hour. Please wait 4 minutes and 45 seconds before requesting another review.

You’ve run out of usage credits. Purchase more in the billing tab.

⌛ How to resolve this issue?

After the wait time has elapsed, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout.

Please see our FAQ for further information.

ℹ️ Review info
⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: c4433025-75c2-4115-877f-9c714d891732

📥 Commits

Reviewing files that changed from the base of the PR and between d399e0a and 3a8f15d.

📒 Files selected for processing (3)
  • core/network/src/commonMain/kotlin/org/mifospay/core/network/config/InstanceConfigManager.kt
  • core/network/src/commonMain/kotlin/org/mifospay/core/network/utils/KtorInterceptor.kt
  • docs/security/network-hardening-mm573.md
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands and usage tips.

@niyajali

Copy link
Copy Markdown
Collaborator

Hi, @Divyateja2709 We appreciate your Pull Request. To facilitate seamless integration and collaboration, please ensure you have joined our Slack workspace and the relevant designated channel. We recommend thoroughly reviewing the bookmark pages, project README, and wiki to gain a comprehensive understanding of the project architecture and development guidelines. Active participation in the daily stand-up meetings is encouraged for discussions, ticket assignments, and to foster connections with the development team. Prior to requesting an assignment in the channel, please create a Jira ticket or ask for an assignment of existing tickets. All pull request descriptions must comprehensively detail the before and after changes, substantiated by relevant video or image evidence.

@IOhacker IOhacker left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants