From 13fedeca8b600bc48c9a7db500f3f9ebdc261c2c Mon Sep 17 00:00:00 2001
From: Nevo David <me@nevos.io>
Date: Sun, 29 Mar 2026 12:32:59 +0700
Subject: [PATCH] feat: upload from url, prevent internal access

---
 libraries/nestjs-libraries/src/dtos/media/upload.dto.ts | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/libraries/nestjs-libraries/src/dtos/media/upload.dto.ts b/libraries/nestjs-libraries/src/dtos/media/upload.dto.ts
index 4704c094..1acac9b0 100644
--- a/libraries/nestjs-libraries/src/dtos/media/upload.dto.ts
+++ b/libraries/nestjs-libraries/src/dtos/media/upload.dto.ts
@@ -1,9 +1,14 @@
 import { IsDefined, IsString, Validate } from 'class-validator';
 import { ValidUrlExtension } from '@gitroom/helpers/utils/valid.url.path';
+import { IsSafeWebhookUrl } from '@gitroom/nestjs-libraries/dtos/webhooks/webhook.url.validator';
 
 export class UploadDto {
   @IsString()
   @IsDefined()
   @Validate(ValidUrlExtension)
+  @IsSafeWebhookUrl({
+    message:
+      'URL must be a public HTTPS URL and cannot point to internal network addresses',
+  })
   url: string;
 }