fix(#279): Validate orchestrator URL configuration (SSRF risk)
Some checks failed
ci/woodpecker/push/woodpecker Pipeline failed
Some checks failed
ci/woodpecker/push/woodpecker Pipeline failed
Implemented comprehensive URL validation to prevent SSRF attacks: - Created URL validator utility with protocol whitelist (http/https only) - Blocked access to private IP ranges (10.x, 192.168.x, 172.16-31.x) - Blocked loopback addresses (127.x, localhost, 0.0.0.0) - Blocked link-local addresses (169.254.x) - Blocked IPv6 localhost (::1, ::) - Allow localhost in development/test environments only - Added structured audit logging for invalid URL attempts - Comprehensive test coverage (37 tests for URL validator) Security Impact: - Prevents attackers from redirecting agent spawn requests to internal services - Blocks data exfiltration via malicious orchestrator URL - All agent operations now validated against SSRF Files changed: - apps/api/src/federation/utils/url-validator.ts (new) - apps/api/src/federation/utils/url-validator.spec.ts (new) - apps/api/src/federation/federation-agent.service.ts (validation integration) - apps/api/src/federation/federation-agent.service.spec.ts (test updates) - apps/api/src/federation/audit.service.ts (audit logging) - apps/api/src/federation/federation.module.ts (service exports) Fixes #279 Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
This commit is contained in:
46
docs/scratchpads/279-orchestrator-url-validation.md
Normal file
46
docs/scratchpads/279-orchestrator-url-validation.md
Normal file
@@ -0,0 +1,46 @@
|
||||
# Issue #279: Validate orchestrator URL configuration (SSRF risk)
|
||||
|
||||
## Objective
|
||||
|
||||
Prevent SSRF vulnerability by validating orchestrator URL from environment variables. Ensure URL format is valid, protocol is whitelisted (http/https), and hostname is not malicious.
|
||||
|
||||
## Security Impact
|
||||
|
||||
- SSRF vulnerability - attacker could point URL to internal services
|
||||
- Data exfiltration - agent spawn requests sent to attacker-controlled server
|
||||
- All agent operations compromised
|
||||
|
||||
## Location
|
||||
|
||||
`apps/api/src/federation/federation-agent.service.ts:43-56`
|
||||
|
||||
## Approach
|
||||
|
||||
1. Create URL validation utility function
|
||||
2. Whitelist protocols (http, https only)
|
||||
3. Validate hostname (reject localhost, private IPs, loopback)
|
||||
4. Add structured logging for validation failures via audit service
|
||||
5. Write comprehensive tests
|
||||
|
||||
## Implementation Plan
|
||||
|
||||
- [ ] Write tests for URL validation (RED)
|
||||
- [ ] Implement URL validation logic (GREEN)
|
||||
- [ ] Integrate validation into FederationAgentService constructor
|
||||
- [ ] Add audit logging for invalid URLs
|
||||
- [ ] Refactor for clarity
|
||||
- [ ] Run quality gates
|
||||
|
||||
## Testing
|
||||
|
||||
- Valid URLs (http://example.com:3001, https://orchestrator.example.com)
|
||||
- Invalid protocols (ftp://, file://, javascript:)
|
||||
- Internal/private IPs (127.0.0.1, 192.168.x.x, 10.x.x.x)
|
||||
- Localhost variants (localhost, 0.0.0.0)
|
||||
- Malformed URLs
|
||||
|
||||
## Notes
|
||||
|
||||
- Use Node's built-in URL class for parsing
|
||||
- Consider environment-specific allowlists (dev can use localhost)
|
||||
- Add security event logging via FederationAuditService
|
||||
Reference in New Issue
Block a user