mosaic/stack
1
0
Fork 0
Code Issues 10 Pull Requests Actions Packages Projects Releases 2 Wiki Activity
Files
main
stack/docs/scratchpads/279-orchestrator-url-validation.md
Jason Woltje 0a527d2a4e
Some checks failed
ci/woodpecker/push/woodpecker Pipeline failed
Details
fix(#279): Validate orchestrator URL configuration (SSRF risk) 
Implemented comprehensive URL validation to prevent SSRF attacks:
- Created URL validator utility with protocol whitelist (http/https only)
- Blocked access to private IP ranges (10.x, 192.168.x, 172.16-31.x)
- Blocked loopback addresses (127.x, localhost, 0.0.0.0)
- Blocked link-local addresses (169.254.x)
- Blocked IPv6 localhost (::1, ::)
- Allow localhost in development/test environments only
- Added structured audit logging for invalid URL attempts
- Comprehensive test coverage (37 tests for URL validator)

Security Impact:
- Prevents attackers from redirecting agent spawn requests to internal services
- Blocks data exfiltration via malicious orchestrator URL
- All agent operations now validated against SSRF

Files changed:
- apps/api/src/federation/utils/url-validator.ts (new)
- apps/api/src/federation/utils/url-validator.spec.ts (new)
- apps/api/src/federation/federation-agent.service.ts (validation integration)
- apps/api/src/federation/federation-agent.service.spec.ts (test updates)
- apps/api/src/federation/audit.service.ts (audit logging)
- apps/api/src/federation/federation.module.ts (service exports)

Fixes #279

Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
2026-02-03 20:47:41 -06:00

47 lines
1.5 KiB
Markdown
Raw Permalink Blame History

# Issue #279: Validate orchestrator URL configuration (SSRF risk)
## Objective
Prevent SSRF vulnerability by validating orchestrator URL from environment variables. Ensure URL format is valid, protocol is whitelisted (http/https), and hostname is not malicious.
## Security Impact
- SSRF vulnerability - attacker could point URL to internal services
- Data exfiltration - agent spawn requests sent to attacker-controlled server
- All agent operations compromised
## Location
`apps/api/src/federation/federation-agent.service.ts:43-56`
## Approach
1. Create URL validation utility function
2. Whitelist protocols (http, https only)
3. Validate hostname (reject localhost, private IPs, loopback)
4. Add structured logging for validation failures via audit service
5. Write comprehensive tests
## Implementation Plan
- [ ] Write tests for URL validation (RED)
- [ ] Implement URL validation logic (GREEN)
- [ ] Integrate validation into FederationAgentService constructor
- [ ] Add audit logging for invalid URLs
- [ ] Refactor for clarity
- [ ] Run quality gates
## Testing
- Valid URLs (http://example.com:3001, https://orchestrator.example.com)
- Invalid protocols (ftp://, file://, javascript:)
- Internal/private IPs (127.0.0.1, 192.168.x.x, 10.x.x.x)
- Localhost variants (localhost, 0.0.0.0)
- Malformed URLs
## Notes
- Use Node's built-in URL class for parsing
- Consider environment-specific allowlists (dev can use localhost)
- Add security event logging via FederationAuditService
Reference in New Issue View Git Blame Copy Permalink