From f8613badb2f34373b6c18c38cad8f890c6d58a7d Mon Sep 17 00:00:00 2001
From: Daniel Gadd <dan.gadd@deskpro.com>
Date: Mon, 11 May 2026 19:14:22 +0100
Subject: [PATCH] Server Side Request Forgery SSRF via Overly [sc-215694]

- Manifest updates to properly whitelist urls
---
 manifest.json | 14 ++++++++++++--
 1 file changed, 12 insertions(+), 2 deletions(-)

diff --git a/manifest.json b/manifest.json
index 02f3167..37607d1 100644
--- a/manifest.json
+++ b/manifest.json
@@ -3,7 +3,7 @@
   "title": "Azure Devops",
   "description": "View information from your DevOps work items by linking them to your Deskpro tickets",
   "appStoreUrl": "https://www.deskpro.com/product-embed/apps/azure-devops",
-  "version": "1.0.44",
+  "version": "1.0.45",
   "scope": "agent",
   "hasDevMode": true,
   "isSingleInstall": false,
@@ -77,7 +77,17 @@
   "proxy": {
     "whitelist": [
       {
-        "url": "https://.*",
+        "url": "https://([a-z0-9-]+\\.)*dev\\.azure\\.com/.*",
+        "methods": ["GET", "POST", "PUT", "PATCH"],
+        "timeout": 10
+      },
+      {
+        "url": "https://app\\.vssps\\.visualstudio\\.com/oauth2/token",
+        "methods": ["POST"],
+        "timeout": 10
+      },
+      {
+        "url": "__instance_url.regex_quote__/.*",
         "methods": ["GET", "POST", "PUT", "PATCH"],
         "timeout": 10
       }