From f3928a9ebfce567584ab1fd2abc3730f6ff5696c Mon Sep 17 00:00:00 2001 From: Giuliano Date: Fri, 6 Mar 2026 20:52:09 +0100 Subject: [PATCH] fix(voice-call): derive SSRF allowedHostnames from baseUrl for non-US regions getCallStatus had a hardcoded allowedHostnames of ['api.twilio.com'], which causes the SSRF guard to reject requests for non-US regional endpoints (e.g. api.dublin.ie1.twilio.com). The error was silently swallowed, breaking call status polling for all non-US region deployments. Derive the hostname dynamically from this.baseUrl instead. The baseUrl is constructed from Zod-validated config (region/edge with regex constraints), so SSRF protection is preserved. --- extensions/voice-call/src/providers/twilio.ts | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/extensions/voice-call/src/providers/twilio.ts b/extensions/voice-call/src/providers/twilio.ts index 523b3082c82..92d3f1c9b1a 100644 --- a/extensions/voice-call/src/providers/twilio.ts +++ b/extensions/voice-call/src/providers/twilio.ts @@ -731,7 +731,7 @@ export class TwilioProvider implements VoiceCallProvider { Authorization: `Basic ${Buffer.from(`${this.accountSid}:${this.authToken}`).toString("base64")}`, }, allowNotFound: true, - allowedHostnames: ["api.twilio.com"], + allowedHostnames: [new URL(this.baseUrl).hostname], auditContext: "twilio-get-call-status", errorPrefix: "Twilio get call status error", });