fix: close redirect-based SSRF bypass in local provider fetches (sec)

[sroussey]

The bug (HIGH severity SSRF residual)

PR #533 added a strict local-only allow-list (isLocalHostname /
normalizeLocalHttpUrl / extractRawHost in @workglow/ai
provider-utils, packages/ai/src/provider-utils/localUrl.ts) so that
llama.cpp-server and stable-diffusion.cpp-server providers only ever talk
to on-host backends.

That allow-list only validates the initial base URL. The provider
clients then issue bare fetch(...) calls, which use the default
redirect: "follow". A validated local server (or anything that can sit
at the configured base URL) that responds with, e.g.:

302 Found
Location: http://169.254.169.254/latest/meta-data/

is followed transparently to the new host. The allow-list never sees
the redirect target, so the local-only guarantee is bypassed — classic
SSRF (cloud-metadata exfiltration, internal-service probing, etc.).

The fix

New helper packages/ai/src/provider-utils/localOnlyFetch.ts:

• Uses redirect: "manual" and walks the redirect chain itself.
• Re-validates every 3xx Location (resolved against the current URL
  so relative redirects work) through the same isLocalHostname
  allow-list used for the base URL.
• Rejects redirect targets that are non-HTTP(S) or carry credentials.
• Caps the chain at 5 hops (MAX_REDIRECTS) and throws on overflow.
• Returns the final Response unchanged, so streaming consumers
  (readChatCompletionDeltas, res.json(), etc.) are unaffected.

Re-exported from the provider-utils barrel. isLocalHostname was
already exported by localUrl.ts, so no change was needed there.

Changed call sites

Every provider fetch() that talks to an on-host backend now goes
through localOnlyFetch(url, init, "<ProviderLabel>"):

llamacpp-server (providers/llamacpp-server/src/ai/common/)

• LlamaCppServer_ModelInfo.ts (both /props and /v1/models calls)
• LlamaCppServer_ModelSearch.ts
• LlamaCppServer_TextGeneration.ts
• LlamaCppServer_ToolCalling.ts
• LlamaCppServer_TextEmbedding.ts
• LlamaCppServer_TextSummary.ts
• LlamaCppServer_TextRewriter.ts

stable-diffusion-server (providers/stable-diffusion-server/src/ai/common/)

• StableDiffusionCpp_ModelInfo.ts
• StableDiffusionCpp_ModelSearch.ts
• StableDiffusionCpp_ImageGenerate.ts
• StableDiffusionCpp_ImageEdit.ts

Only the fetch -> localOnlyFetch substitution and the necessary
import were changed; request bodies, headers, signals and streaming
response handling are untouched.

Tests

Adds packages/test/src/test/ai-provider-api/localOnlyFetch.test.ts
(vitest, matching the sibling localUrl.test.ts). It stubs global
fetch with a queued list of Response objects and asserts:

• 302 -> http://169.254.169.254/... throws (non-local), one fetch issued.
• 302 -> external https://evil.example.com throws.
• 302 -> local http://127.0.0.1:9000/v1/models is followed; final 200
  body returned.
• relative Location: /v1/models against a local base is followed.
• plain 200 (no redirect) returns body unchanged with exactly one fetch.

• 5 chained local redirects throws "too many redirects".

• original global fetch restored in afterEach.

Test plan

• CI: typecheck @workglow/ai, llamacpp-server, stable-diffusion-server.
• CI: run the ai-provider-api test section (incl. localOnlyFetch.test.ts).
• CI: confirm existing LlamaCppServer_Client / StableDiffusionCpp_Client tests still pass.

NOTE: This environment has no checkout — types, lint, and tests were
NOT run locally. CI must validate the build and the new/existing tests.

---

Generated by Claude Code

[Copilot]

Pull request overview

This PR hardens “local backend” provider HTTP calls against redirect-based SSRF by introducing a localOnlyFetch helper that manually follows redirects and re-validates redirect targets, then updating llama.cpp-server and stable-diffusion-server provider call sites to use it.

Changes:

• Add packages/ai/src/provider-utils/localOnlyFetch.ts and re-export it from @workglow/ai/provider-utils.
• Replace direct fetch(...) calls in local-backend providers with localOnlyFetch(...).
• Add Vitest coverage for redirect handling in localOnlyFetch.

Reviewed changes

Copilot reviewed 14 out of 14 changed files in this pull request and generated 5 comments.

Show a summary per file

File	Description
providers/stable-diffusion-server/src/ai/common/StableDiffusionCpp_ModelSearch.ts	Switch model list fetch to localOnlyFetch
providers/stable-diffusion-server/src/ai/common/StableDiffusionCpp_ModelInfo.ts	Switch /v1/models fetch to localOnlyFetch
providers/stable-diffusion-server/src/ai/common/StableDiffusionCpp_ImageGenerate.ts	Switch image generation POST to localOnlyFetch
providers/stable-diffusion-server/src/ai/common/StableDiffusionCpp_ImageEdit.ts	Switch img2img POST to localOnlyFetch
providers/llamacpp-server/src/ai/common/LlamaCppServer_ToolCalling.ts	Switch chat completions POST to localOnlyFetch
providers/llamacpp-server/src/ai/common/LlamaCppServer_TextSummary.ts	Switch chat completions POST to localOnlyFetch
providers/llamacpp-server/src/ai/common/LlamaCppServer_TextRewriter.ts	Switch chat completions POST to localOnlyFetch
providers/llamacpp-server/src/ai/common/LlamaCppServer_TextGeneration.ts	Switch chat completions POST to localOnlyFetch
providers/llamacpp-server/src/ai/common/LlamaCppServer_TextEmbedding.ts	Switch embeddings POST to localOnlyFetch
providers/llamacpp-server/src/ai/common/LlamaCppServer_ModelSearch.ts	Switch model list fetch to localOnlyFetch
providers/llamacpp-server/src/ai/common/LlamaCppServer_ModelInfo.ts	Switch /props and /v1/models fetches to localOnlyFetch
packages/test/src/test/ai-provider-api/localOnlyFetch.test.ts	Add redirect-chain SSRF regression tests for localOnlyFetch
packages/ai/src/provider-utils/localOnlyFetch.ts	New redirect-validating fetch helper for “local-only” provider traffic
packages/ai/src/provider-utils.ts	Re-export localOnlyFetch from provider-utils barrel

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[sroussey]

Fixed in 80b3c33. localOnlyFetch now parses and validates the initial input URL (protocol, credentials, loopback host) before any network call, so a bad initial URL throws with zero fetches issued.

---

Generated by Claude Code

[sroussey]

Fixed in 80b3c33. Redirect validation now requires the new isLoopbackHostname (loopback-only: localhost, 127.0.0.0/8, ::1, IPv4-mapped loopback) instead of isLocalHostname, so 169.254.169.254 and the rest of 169.254.0.0/16 link-local are rejected. These servers are localhost-only by design.

---

Generated by Claude Code

[sroussey]

Fixed in 80b3c33. Redirect following is now restricted to the standard redirect codes 301/302/303/307/308 (a REDIRECT_STATUS_CODES Set). Other 3xx responses (e.g. 300, 304, 306) are returned unchanged even if they carry a Location. The numeric-status + headers.get guard is retained so non-spec test doubles still pass through as terminal.

---

Generated by Claude Code

[sroussey]

Fixed in 80b3c33. The contradiction is gone: 169.254.169.254 is now a REJECTED redirect target (asserts throws with exactly one fetch), and an RFC 1918 case (10.0.0.5) was added to prove the policy is loopback-only, not merely "non-public". The comments no longer describe link-local as in-scope.

---

Generated by Claude Code

[sroussey]

Fixed in 80b3c33. The queue and comment now agree: 6 redirect responses are queued (hops 0..5, six fetches), which exhausts MAX_REDIRECTS=5 and throws on the count guard; the test also asserts exactly 6 fetches. The stray 7th response was removed.

---

Generated by Claude Code

[github-actions]

Coverage Report

Status	Category	Percentage	Covered / Total
🔵	Lines	62.11%	24603 / 39611
🔵	Statements	61.96%	25457 / 41080
🔵	Functions	63.05%	4661 / 7392
🔵	Branches	50.76%	12060 / 23756

File Coverage

No changed files found.

Generated in workflow #2440 for commit 80b3c33 by the Vitest Coverage Report Action