Skip to content

feat(offchain): add --allow-private-offchain-urls flag#2131

Draft
ArturWieczorek wants to merge 2 commits into
masterfrom
allow-private-offchain-urls
Draft

feat(offchain): add --allow-private-offchain-urls flag#2131
ArturWieczorek wants to merge 2 commits into
masterfrom
allow-private-offchain-urls

Conversation

@ArturWieczorek
Copy link
Copy Markdown
Contributor

@ArturWieczorek ArturWieczorek commented May 27, 2026

Description

cardano-db-sync's off-chain pool and vote metadata fetchers reject URLs whose host or resolved IP is in a private, loopback, or link-local range as an SSRF mitigation.

Local-cluster test setups whose metadata is served from http://localhost:.../poolN.json or similar therefore cannot exercise the success path of the fetcher.

This adds an opt-in CLI flag that replaces both layers of the restriction with a no-op for the duration of the run, intended
for local-cluster testing only. Off by default; the existing restriction continues to apply to every production deployment.

  • New SyncNodeParams field enpAllowPrivateOffChainUrls plumbed through SyncOptions (soptAllowPrivateOffChainUrls) into the off-chain fetcher threads.
  • parseOffChainUrl now takes a Bool: when True the isLocalhostHost rejection is skipped.
  • newRestrictedManager now takes a Bool: when True it installs a permissiveRestriction (addressRestriction returning Nothing for every address) instead of offchainRestriction, so DNS-resolved private IPs are no longer blocked at connect time either.
  • New Hedgehog suite Cardano.DbSync.OffChain.HttpTest covering both modes for localhost/127./[::1]/10./192.168. plus a public URL and non-HTTP schemes.

Checklist

  • Commit sequence broadly makes sense
  • Commits have useful messages
  • New tests are added if needed and existing tests are updated
  • Any changes are noted in the changelog
  • Code is formatted with fourmolu on version 0.17.0.0 (which can be run with scripts/fourmolize.sh)
  • Self-reviewed the diff

Migrations

  • The pr causes a breaking change of type a,b or c
  • If there is a breaking change, the pr includes a database migration and/or a fix process for old values, so that upgrade is possible
  • Resyncing and running the migrations provided will result in the same database semantically

If there is a breaking change, especially a big one, please add a justification here. Please elaborate
more what the migration achieves, what it cannot achieve or why a migration is not possible.

@ArturWieczorek ArturWieczorek force-pushed the allow-private-offchain-urls branch 6 times, most recently from 62bb83d to 288cbac Compare May 28, 2026 11:26
@ArturWieczorek
feat(offchain): add --allow-private-offchain-urls flag
c7201a8 
cardano-db-sync's off-chain pool and vote metadata fetchers reject
URLs whose host or resolved IP is in a private, loopback, or
link-local range as an SSRF mitigation (see parseOffChainUrl and
newRestrictedManager in cardano-db-sync/src/Cardano/DbSync/
OffChain/Http.hs). Local-cluster test setups whose metadata is
served from http://localhost:.../poolN.json or similar therefore
cannot exercise the success path of the fetcher.

This adds an opt-in CLI flag that replaces both layers of the
restriction with a no-op for the duration of the run, intended
for local-cluster testing only. Off by default; the existing
restriction continues to apply to every production deployment.

* New SyncNodeParams field enpAllowPrivateOffChainUrls plumbed
  through SyncOptions (soptAllowPrivateOffChainUrls) into the
  off-chain fetcher threads.
* parseOffChainUrl now takes a Bool: when True the isLocalhostHost
  rejection is skipped.
* newRestrictedManager now takes a Bool: when True it installs a
  permissiveRestriction (addressRestriction returning Nothing for
  every address) instead of offchainRestriction, so DNS-resolved
  private IPs are no longer blocked at connect time either.
* New Hedgehog suite Cardano.DbSync.OffChain.HttpTest covering
  both modes for localhost/127./[::1]/10./192.168. plus a public
  URL and non-HTTP schemes.
@ArturWieczorek
test(offchain): cover isPrivateAddr including IPv4-mapped IPv6
b86b22a 
Adds a table-driven Hedgehog property that exercises every classification
branch of isPrivateAddr — IPv4-mapped IPv6 (the SSRF gap fixed in #2132),
native IPv6, and IPv4 — with range-edge cases included to guard against
@ArturWieczorek ArturWieczorek force-pushed the allow-private-offchain-urls branch from 288cbac to b86b22a Compare May 28, 2026 11:42
@Cmdv
Copy link
Copy Markdown
Contributor

Cmdv commented May 29, 2026

looks good so far, but could we have it as a config option rather than a command line flag?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@ArturWieczorek @Cmdv