[PM-31671] Add SSRF protections to ChangePasswordUriSErvice

[nikwithak]

🎟️ Tracking

https://bitwarden.atlassian.net/browse/PM-31671

📔 Objective

This prevents the service that retrieves the change password URL from exposing internal details, by verifying that the domain does not resolve to an internal IP address. It uses the same approach as the Icons service in following redirects to ensure they are not internal-only services.

Note: When testing locally, all URLs are passing through 127.0.0.1 due to a local proxy - I had to add UseProxy=false to the HttpClientHandler constructor on SErviceCollectionExtension.cs:48. I suspect this is something configured in my localhost dev environment, since the existing IconsService uses this same approach without issue.

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

[github-actions]

Checkmarx One – Scan Summary & Details – ff7a33dd-2461-4be8-9ae8-d57cb9b65ddb

---

New Issues (2)

Checkmarx found the following issues in this Pull Request

#	Severity	Issue	Source File / Package	Checkmarx Insight
1		CSRF	/src/Api/AdminConsole/Controllers/OrganizationUsersController.cs: 307	details Method at line 307 of /src/Api/AdminConsole/Controllers/OrganizationUsersController.cs gets a parameter from a user request from organizationUser... Attack Vector
2		CSRF	/src/Api/AdminConsole/Controllers/OrganizationUsersController.cs: 307	details Method at line 307 of /src/Api/AdminConsole/Controllers/OrganizationUsersController.cs gets a parameter from a user request from model. This par... Attack Vector

---

Fixed Issues (1)

Great job! The following issues were fixed in this Pull Request

Severity	Issue	Source File / Package
	CSRF	/src/Api/Billing/Controllers/VNext/AccountBillingVNextController.cs: 55

[codecov]

Codecov Report

❌ Patch coverage is 84.61538% with 8 lines in your changes missing coverage. Please review.
✅ Project coverage is 58.02%. Comparing base (89f6e43) to head (1fc46a3).
⚠️ Report is 21 commits behind head on main.

Files with missing lines	Patch %	Lines
src/Icons/Services/ChangePasswordUriService.cs	84.31%	6 Missing and 2 partials ⚠️

Additional details and impacted files

@@            Coverage Diff             @@
##             main    #7332      +/-   ##
==========================================
+ Coverage   57.91%   58.02%   +0.11%     
==========================================
  Files        2044     2049       +5     
  Lines       90130    90408     +278     
  Branches     8018     8036      +18     
==========================================
+ Hits        52199    52460     +261     
- Misses      36066    36082      +16     
- Partials     1865     1866       +1     

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.