OpenSID
diff --git a/‎app/Helpers/helper.php‎
Lines changed: 47 additions & 2 deletions b/‎app/Helpers/helper.php‎
Lines changed: 47 additions & 2 deletions
diff --git a/‎package-lock.json‎
Lines changed: 9 additions & 9 deletions b/‎package-lock.json‎
Lines changed: 9 additions & 9 deletions
diff --git a/‎package.json‎
Lines changed: 1 addition & 1 deletion b/‎package.json‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎public/css/app.css‎
Lines changed: 1 addition & 0 deletions b/‎public/css/app.css‎
Lines changed: 1 addition & 0 deletions
@@ -114,15 +114,60 @@ function fixDomainName($url = '')
     }
 }
 
+if (! function_exists('is_trusted_github_api_url')) {
+    /**
+     * Validate that the URL is a trusted GitHub API endpoint to prevent SSRF attacks.
+     *
+     * @param  string $url
+     * @return bool
+     */
+    function is_trusted_github_api_url($url)
+    {
+        // Parse the URL to validate its components
+        $parsed = parse_url($url);
+        
+        if (!$parsed || !isset($parsed['scheme'], $parsed['host'], $parsed['path'])) {
+            return false;
+        }
+
+        // Only allow HTTPS
+        if ($parsed['scheme'] !== 'https') {
+            return false;
+        }
+
+        // Only allow api.github.com domain
+        if ($parsed['host'] !== 'api.github.com') {
+            return false;
+        }
+
+        // Allow only specific trusted OpenSID repository release endpoints
+        $allowed_paths = [
+            '/repos/OpenSID/rilis-premium/releases/latest',
+            '/repos/OpenSID/rilis-pbb/releases/latest',
+            '/repos/OpenSID/opendk/releases/latest',
+            '/repos/OpenSID/rilis-opensid-api/releases/latest',
+        ];
+
+        return in_array($parsed['path'], $allowed_paths, true);
+    }
+}
+
 if (! function_exists('lastrelease')) {
     /**
-     * Validasi domain.
+     * Get latest release from trusted GitHub API endpoints.
+     * 
+     * Security: Only allows requests to trusted GitHub API endpoints to prevent SSRF attacks.
      *
      * @param  string $url
-     * @return object
+     * @return object|false
      */
     function lastrelease($url)
     {
+        // Security: Validate that the URL is a trusted GitHub API endpoint
+        if (!is_trusted_github_api_url($url)) {
+            return false;
+        }
+
         try {
             $response = Http::withHeaders([
                 'Accept' => 'application/vnd.github.v3+json',
 
@@ -16,7 +16,7 @@
     },
     "devDependencies": {
         "@playwright/test": "^1.54.1",
-        "axios": "^0.28",
+        "axios": "^0.30",
         "laravel-mix": "^6.0.6",
         "lodash": "^4.17.19",
         "postcss": "^8.1.14"
 
@@ -0,0 +1 @@
+