Appsmith Git SSH Integration Bypassed Critical SSRF Filter, Exposing Internal Networks

A critical security flaw in Appsmith's Git integration allowed authenticated users to bypass the platform's primary SSRF (Server-Side Request Forgery) defenses. The vulnerability was rooted in the JGit SSH client, which connected directly to user-supplied remote URLs without performing any IP address validation. This created a direct path for internal network probing, completely circumventing the existing `WebClientUtils.IP_CHECK_FILTER` that protected all other outbound HTTP connections.

The architecture flaw split outbound traffic into two unprotected paths. While REST API calls were correctly filtered, the Git SSH integration operated with zero host validation. An attacker could submit a malicious SSH URL like `[email protected]:user/repo.git`. The system's initial HTTP probe, `isRepoPrivate()`, would be blocked by the SSRF filter, but the subsequent SSH clone operation via `cloneRemoteIntoArtifactRepo()` would proceed unimpeded. This allowed connections to internal, loopback, cloud metadata, and link-local IP addresses.

The fix required adding host validation directly into the Git SSH connection path. Developers implemented `GitUtils.validateGitSshUrl()`, which extracts the hostname from SSH URLs and leverages the existing `resolveIfAllowed()` security mechanism. This ensures the Git integration now enforces the same network boundary controls as the rest of the application, closing a dangerous blind spot in the platform's security posture.