fix(everything): block SSRF to internal/metadata IPs in gzip-file-as-resource#4498
Open
olaservo wants to merge 2 commits into
Open
fix(everything): block SSRF to internal/metadata IPs in gzip-file-as-resource#4498olaservo wants to merge 2 commits into
olaservo wants to merge 2 commits into
Conversation
…resource The gzip-file-as-resource tool fetched a caller-supplied URL with only an optional domain allowlist (empty by default, treated as allow-all) and no IP-range filtering, and followed redirects without re-validation. A prompt-injection-steered URL could drive the server to fetch loopback, private, link-local, and cloud-metadata endpoints (e.g. 169.254.169.254) and return their contents to the caller. Resolve the destination host and refuse non-public IP addresses (loopback, private/RFC1918, link-local/metadata, ULA, multicast, reserved, unspecified), covering IPv4, IPv6, and IPv4-mapped IPv6, and follow redirects manually so every hop is re-validated. This applies regardless of GZIP_ALLOWED_DOMAINS, whose domain-allowlist semantics are unchanged. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Unwrap deprecated IPv4-compatible IPv6 addresses (::a.b.c.d, ::/96) and classify them as IPv4, so forms like [::127.0.0.1] are refused rather than treated as public. Adds test coverage for the IPv4-compatible form and for carrier-grade NAT (100.64.0.0/10). Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Description
Adds SSRF protection to the
everythingserver'sgzip-file-as-resourcetool. The tool fetched a caller-suppliedhttp/httpsURL and returned the (compressed) response as a resource. Its only host restriction was an optional domain allowlist (GZIP_ALLOWED_DOMAINS) that is empty by default and treated as "all domains allowed", with no IP-range filtering and automatic redirect following. Because the URL is model-produced and prompt-injection-steerable, the server could be driven to fetch loopback, private, link-local, and cloud-metadata endpoints (e.g.169.254.169.254) and return their contents to the caller.Server Details
@modelcontextprotocol/server-everything)gzip-file-as-resource)Motivation and Context
validateDataURIallowedhttp/https/dataand enforced only the domain allowlist (skipped entirely when empty), andfetchSafelycalledfetch(url)with default redirect following and no loopback/RFC1918/link-local/metadata checks.What this PR does:
assertPublicHost()plus IPv4/IPv6 classifiers that resolve the destination host and refuse non-public addresses (loopback, private/RFC1918, link-local/metadata, ULA, multicast, reserved, unspecified), covering IPv4, IPv6, and IPv4-mapped IPv6 (including the hex form the WHATWG URL parser normalizes to).fetchWithGuardedRedirects(redirect: "manual"), re-validating the host on every hop and refusing redirects to non-http(s) schemes.GZIP_ALLOWED_DOMAINS. The domain-allowlist semantics are intentionally left unchanged (empty still means "all domains"), so the tool's default demo URL keeps working; the allowlist and the SSRF guard are independent controls.How Has This Been Tested?
169.254.169.254, RFC1918 ranges,0.0.0.0, IPv6 loopback, IPv4-mapped IPv6) via IP literals (no network required).npm run build(tsc) passes; fullvitestsuite passes (115 tests, including the 8 new cases).data:URI and public-URL behavior is unchanged and still covered by tests.Breaking Changes
No client configuration changes required. Behavior only changes for requests that targeted non-public IPs, which are now refused (the intended fix).
data:URIs and public URLs are unaffected.Types of changes
Checklist
Additional context
Docs updated in
docs/instructions.mdanddocs/structure.mdto note that internal/metadata IPs are always blocked (and re-validated across redirects) independent of the allowlist. As with any resolve-then-connect guard, a narrow DNS-rebinding window remains; pinning to the validated IP could be added later.🤖 Generated with Claude Code