Push this scan report to OpenZeppelin/openzeppelin-contracts

Embedded score card image

This image will render at the top of the issue body. Hosted on Repobility, refreshes automatically after re-scans.

Issue title

Hi @OpenZeppelin, an automated scan of this repository surfaced **6 code-quality findings** that may be worth a look. 
Full details, severity filters, and per-file context are at the link below — feel free to close this issue if it isn't useful to you.

## Full interactive report

**https://repobility.com/scan/47a2334c-e2e2-49cc-9087-a4a6fae9320b/**

![Live scan page](https://repobility.com/scan/47a2334c-e2e2-49cc-9087-a4a6fae9320b/report.png?v=1778938259)

## At a glance

- **Score**: `89/100`  •  **Grade**: `A-`
- **Scanned**: `2026-05-16 13:30 UTC`
- **Lines of code**: 43,191
- **Total findings**: 6
- **Security-tagged**: 0
- **Credential / secret patterns**: 0

## Top issues, with file & line

_These are deterministic rule-based findings — the file paths and line numbers below are real and can be verified in your tree._

1. **[high]** [SEC029] Server-Side Request Forgery (SSRF) — outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.254.169.254 metadata, internal Kubernetes endpoints, file:// URIs), exfiltrate data, or pivot through your network. SSRF is OWASP A10:2021 and a frequent foothold in cloud breaches. — `contracts/utils/Base64.sol:27`
   _Validate the URL against an allowlist BEFORE fetching:   ALLOWED = {'images.example.com', 'cdn.example.com'}   host = urlparse(url).hostname   if host not in ALLOWED: abort(400)…_
2. **[high]** [SEC029] Server-Side Request Forgery (SSRF) — outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.254.169.254 metadata, internal Kubernetes endpoints, file:// URIs), exfiltrate data, or pivot through your network. SSRF is OWASP A10:2021 and a frequent foothold in cloud breaches. — `contracts/utils/cryptography/WebAuthn.sol:161`
   _Validate the URL against an allowlist BEFORE fetching:   ALLOWED = {'images.example.com', 'cdn.example.com'}   host = urlparse(url).hostname   if host not in ALLOWED: abort(400)…_
3. **[low]** Duplicated implementation block across source files — `test/crosschain/BridgeERC20.behavior.js:12`
   _Duplicated blocks are a common artifact when generated code is pasted or recreated instead of reused. They increase maintenance cost because every future bug fix must be found i…_
4. **[low]** Duplicated implementation block across source files — `test/crosschain/BridgeERC721.behavior.js:12`
   _Duplicated blocks are a common artifact when generated code is pasted or recreated instead of reused. They increase maintenance cost because every future bug fix must be found i…_
5. **[low]** Duplicated implementation block across source files — `test/crosschain/BridgeERC721.behavior.js:13`
   _Duplicated blocks are a common artifact when generated code is pasted or recreated instead of reused. They increase maintenance cost because every future bug fix must be found i…_

See all 6 findings, with severity filters and AI fix prompts: **https://repobility.com/scan/47a2334c-e2e2-49cc-9087-a4a6fae9320b/**

---

**What is this?** [Repobility](https://repobility.com) is a research project that scans public repositories with a multi-layer static analyzer (rule-based, no AI hallucinations) and learns code-quality patterns across a broad cross-repo corpus. This is **not a sales pitch** — there's no paywall, no signup required to view the report, and no payment ask. If the findings aren't useful, please close this issue and we won't post again.

**To re-run after fixes land:** paste your repo URL at [repobility.com](https://repobility.com) — fresh scan, free.

_Issue filed via the public Repobility report at https://repobility.com/scan/47a2334c-e2e2-49cc-9087-a4a6fae9320b/._