fix(security): mitigate SSRF on the url parameter#787
Closed
deniak wants to merge 2 commits into
Closed
Conversation
Resolves a reported SSRF vulnerability where the `url` parameter was passed to fetch() without any IP-level validation, allowing requests to loopback, private, link-local, and cloud metadata addresses. Changes: - Add ssrf.ts with `safeFetch()` and `checkHostname()` helpers. Uses ipaddr.js (already a transitive dep) to classify resolved IPs and blocks everything except the unicast (public) range. - `safeFetch()` intercepts every redirect (redirect: "manual") and re-validates the destination hostname before following it, capped at 5 hops. - Replace bare fetch() calls in generators/respec.ts (crawlRaw) and generators/bikeshed.ts (generateIssuesList) with safeFetch(). - Add checkHostname() call in resolveUrlOrFile() before passing a URL to ReSpec's toHTML() (which runs in a headless browser context and cannot be intercepted at the fetch layer). - Add 13 unit tests covering all blocked ranges and public allow-list. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Previously used only as a transitive dep; now relied on directly in ssrf.ts so it should be pinned in package.json. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Contributor
|
Superseded by (human-authored) #788 which covers cases which this missed or broke |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
ssrf.tswith asafeFetch()wrapper andcheckHostname()helper that guard against Server-Side Request Forgery on theurlparameteripaddr.js(already a transitive dependency) to classify resolved IP addresses and block everything outside the public unicast range (loopback, private RFC-1918, link-local, cloud metadata169.254.169.254, multicast, unspecified)safeFetch()usesredirect: "manual"to intercept every redirect and re-validates the destination hostname before following it, capped at 5 hopsfetch()calls ingenerators/respec.ts(crawlRaw) andgenerators/bikeshed.ts(generateIssuesList)checkHostname()guard inresolveUrlOrFile()before the URL is handed to ReSpec'stoHTML(), which runs in a headless browser and cannot be intercepted at the fetch layerWhat a reviewer should know
The fix follows the guidance from the security report: resolve DNS and block private/loopback/link-local/multicast/cloud-metadata ranges, and re-validate after every redirect.
ipaddr.jshandles the range classification so there is no hand-rolled CIDR arithmetic.The
toHTML()call in ReSpec cannot have its internal fetches intercepted (it spawns a headless browser), so the mitigation there is the upstreamcheckHostname()check — the URL is validated before being passed in.Test plan
npm testpasses (unit tests run viatsx test/index.test.ts)curl "http://localhost:3000/?type=respec&url=http://169.254.169.254/"→ 400curl "http://localhost:3000/?type=respec&url=http://127.0.0.1/"→ 400curl "http://localhost:3000/?type=respec&url=http://192.168.1.1/"→ 400🤖 Generated with Claude Code