fix(security): block SSRF to private/internal/metadata addresses (closes #41)#42
Merged
Conversation
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com> Claude-Session: https://claude.ai/code/session_013pFhk7BB4SZ8dNBLQbsiQL
…rgets Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com> Claude-Session: https://claude.ai/code/session_013pFhk7BB4SZ8dNBLQbsiQL
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com> Claude-Session: https://claude.ai/code/session_013pFhk7BB4SZ8dNBLQbsiQL
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com> Claude-Session: https://claude.ai/code/session_013pFhk7BB4SZ8dNBLQbsiQL
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com> Claude-Session: https://claude.ai/code/session_013pFhk7BB4SZ8dNBLQbsiQL
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com> Claude-Session: https://claude.ai/code/session_013pFhk7BB4SZ8dNBLQbsiQL
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com> Claude-Session: https://claude.ai/code/session_013pFhk7BB4SZ8dNBLQbsiQL
…idate allowlist CIDR prefix Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com> Claude-Session: https://claude.ai/code/session_013pFhk7BB4SZ8dNBLQbsiQL
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Closes #41.
Problem
The URL-fetch endpoints (
GET /api, MCPread_url) performed server-side fetches of any user-supplied URL with no address validation, allowing SSRF against internal and cloud-metadata endpoints (e.g.http://100.100.100.200/latest/user-data,http://169.254.169.254/).Fix
A new guard (
lib/ssrf.js) that, by default, denies requests whose resolved address falls in a private, loopback, link-local, CGNAT, or cloud-metadata range:http(s)schemes.64:ff9b::/96, 6to42002::/16, IPv4-compatible/-mapped) by matching the embedded IPv4, so legitimate public destinations still resolve on NAT64 hosts.redirect: 'manual'), so a public URL cannot 302 into an internal one./api(and anisErrorresult at MCPread_url), checked before the cache lookup so a previously-cached internal response cannot be served.Opt-out for self-hosters
Default-deny. Self-hosters who intentionally fetch internal hosts can allowlist specific CIDRs and/or hostnames via
PULLMD_ALLOWED_HOSTS(e.g.10.0.5.0/24,wiki.internal). There is no global kill-switch.Known residuals (documented)
Testing
/apiandisErrorat MCPread_url.Version bumped to 3.3.0 with a CHANGELOG
Securityentry andPULLMD_ALLOWED_HOSTSdocumented in.env.exampleand the help page.🤖 Generated with Claude Code
https://claude.ai/code/session_013pFhk7BB4SZ8dNBLQbsiQL