mosaic/stack
1
0
Fork 0
Code Issues 10 Pull Requests Actions Packages Projects Releases 2 Wiki Activity
Files
cd5c2218c86735a4b0e7e3bd453eccdd6000cc9b
stack/docs/scratchpads/279-orchestrator-url-validation.md
Jason Woltje 0a527d2a4e
Some checks failed
ci/woodpecker/push/woodpecker Pipeline failed
Details
fix(#279): Validate orchestrator URL configuration (SSRF risk) 
Implemented comprehensive URL validation to prevent SSRF attacks:
- Created URL validator utility with protocol whitelist (http/https only)
- Blocked access to private IP ranges (10.x, 192.168.x, 172.16-31.x)
- Blocked loopback addresses (127.x, localhost, 0.0.0.0)
- Blocked link-local addresses (169.254.x)
- Blocked IPv6 localhost (::1, ::)
- Allow localhost in development/test environments only
- Added structured audit logging for invalid URL attempts
- Comprehensive test coverage (37 tests for URL validator)

Security Impact:
- Prevents attackers from redirecting agent spawn requests to internal services
- Blocks data exfiltration via malicious orchestrator URL
- All agent operations now validated against SSRF

Files changed:
- apps/api/src/federation/utils/url-validator.ts (new)
- apps/api/src/federation/utils/url-validator.spec.ts (new)
- apps/api/src/federation/federation-agent.service.ts (validation integration)
- apps/api/src/federation/federation-agent.service.spec.ts (test updates)
- apps/api/src/federation/audit.service.ts (audit logging)
- apps/api/src/federation/federation.module.ts (service exports)

Fixes #279

Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
2026-02-03 20:47:41 -06:00

1.5 KiB
Raw Blame History

Issue #279: Validate orchestrator URL configuration (SSRF risk)

Objective

Prevent SSRF vulnerability by validating orchestrator URL from environment variables. Ensure URL format is valid, protocol is whitelisted (http/https), and hostname is not malicious.

Security Impact

  • SSRF vulnerability - attacker could point URL to internal services
  • Data exfiltration - agent spawn requests sent to attacker-controlled server
  • All agent operations compromised

Location

apps/api/src/federation/federation-agent.service.ts:43-56

Approach

  1. Create URL validation utility function
  2. Whitelist protocols (http, https only)
  3. Validate hostname (reject localhost, private IPs, loopback)
  4. Add structured logging for validation failures via audit service
  5. Write comprehensive tests

Implementation Plan

  • Write tests for URL validation (RED)
  • Implement URL validation logic (GREEN)
  • Integrate validation into FederationAgentService constructor
  • Add audit logging for invalid URLs
  • Refactor for clarity
  • Run quality gates

Testing

Notes

  • Use Node's built-in URL class for parsing
  • Consider environment-specific allowlists (dev can use localhost)
  • Add security event logging via FederationAuditService
Reference in New Issue View Git Blame Copy Permalink