Description
Create allow list and deny list configurations for hosts in fetch calls using the Graal engine
Problem
As a proactive security measure, we should implement configurable allow and deny lists for hostnames, IPs, and potentially ports as the target of fetch API requests in Lambdas using the Graal engine. This would allow an admin to restrict where API calls are being made to from within lambdas.
Solution
When this functionality is enabled and a list is supplied via configuration property or environment variable FusionAuth should either only allow a fetch call if the host is withing the allow list or deny any calls when the host is in the deny list. We should provide helpful messages in the event log when a call is denied to help an admin know why a request was denied.
Community guidelines
All issues filed in this repository must abide by the FusionAuth community guidelines.
How to vote
Please give us a thumbs up or thumbs down as a reaction to help us prioritize this feature. Feel free to comment if you have a particular need or comment on how this feature should work.