fix(voice-call): derive SSRF allowedHostnames from baseUrl for non-US regions

getCallStatus had a hardcoded allowedHostnames of ['api.twilio.com'], which causes the SSRF guard to reject requests for non-US regional endpoints (e.g. api.dublin.ie1.twilio.com). The error was silently swallowed, breaking call status polling for all non-US region deployments. Derive the hostname dynamically from this.baseUrl instead. The baseUrl is constructed from Zod-validated config (region/edge with regex constraints), so SSRF protection is preserved.
2026-03-06 20:52:09 +01:00 · 2026-03-06 20:52:09 +01:00 · f3928a9ebf
commit f3928a9ebf
parent b1a99dd300
1 changed files with 1 additions and 1 deletions
--- a/extensions/voice-call/src/providers/twilio.ts
+++ b/extensions/voice-call/src/providers/twilio.ts
@ -731,7 +731,7 @@ export class TwilioProvider implements VoiceCallProvider {
          Authorization: `Basic ${Buffer.from(`${this.accountSid}:${this.authToken}`).toString("base64")}`,
        },
        allowNotFound: true,
-        allowedHostnames: ["api.twilio.com"],
+        allowedHostnames: [new URL(this.baseUrl).hostname],
        auditContext: "twilio-get-call-status",
        errorPrefix: "Twilio get call status error",
      });