fix(ai): close WHATWG canonicalisation bypass in localOnlyFetch (sec)#542
Open
sroussey wants to merge 1 commit into
Open
fix(ai): close WHATWG canonicalisation bypass in localOnlyFetch (sec)#542sroussey wants to merge 1 commit into
sroussey wants to merge 1 commit into
Conversation
…al-URL check (sec) `assertLoopbackTarget` validated `new URL(input).hostname` for the initial URL, which WHATWG canonicalises so `0x7f.0.0.1`, `2130706433`, and lenient `010.0.0.1` all silently rewrite to `127.0.0.1`. Sibling `normalizeLocalHttpUrl` already closed the same bypass in PR #533 by validating `extractRawHost(rawUrl)`; apply the same fix here so any caller wiring `localOnlyFetch` against a user-supplied URL cannot regress. Redirect targets stay on canonical hostname (no raw form available, and the canonical check is still a tightening). Regression tests in localOnlyFetch.test.ts cover all three IPv4 spellings and assert zero fetches are made.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
localOnlyFetch's initial-URL gate validatednew URL(input).hostnameagainstisLoopbackHostname. The WHATWG URL parser silently rewrites non-standard IPv4 spellings to canonical dotted-quads, so any of the following inputs were silently accepted as loopback before this fix:http://0x7f.0.0.1/— hex-octet IPv4 rewritten to127.0.0.1http://2130706433/— uint32 IPv4 rewritten to127.0.0.1http://010.0.0.1/— lenient octal-looking IPv4 rewritten (runtime-dependent) to127.0.0.1(or10.0.0.1)That's an SSRF bypass for any caller wiring
localOnlyFetchagainst a user-supplied URL. SiblingnormalizeLocalHttpUrlalready closed the same bypass class in PR #533 by validatingextractRawHost(rawUrl)— this PR applies the same fix tolocalOnlyFetch.The fix
extractRawHostalongsideisLoopbackHostnamefrom./localUrl.assertLoopbackTargetgrows an optionalrawHost?: string | nullparameter. When supplied (initial URL), it is used (after stripping[]) for theisLoopbackHostnameliteral check instead ofurl.hostname; when omitted (redirect target), behaviour is unchanged.extractRawHost(input)is computed BEFORE any network call; anullresult throws${label}: invalid initial URL., otherwise the raw host is passed through toassertLoopbackTarget.assertLoopbackTarget(next, label, "redirect")) is intentionally unchanged: the raw form is not available for redirect targets, and the canonical-hostname check there is still a tightening. (The all-prior gating that led to the redirect — the same loopback check on the previous hop — is unaffected.)Regression cases added
packages/test/src/test/ai-provider-api/localOnlyFetch.test.tsgains three new tests, one per IPv4 spelling, each mirroring the existing "rejects a non-loopback initial URL before issuing any fetch" shape:http://0x7f.0.0.1/rejects with/non-loopback host|invalid initial URL/AND issues zero fetches.http://2130706433/rejects with the same pattern AND issues zero fetches.http://010.0.0.1/rejects with the same pattern AND issues zero fetches.The regex matches either of the two valid rejection messages:
non-loopback host(the expected path on every modern WHATWG runtime, where the raw host failsisLoopbackHostname's strict grammar) orinvalid initial URL(defensive fallback ifextractRawHostreturnsnullon some exotic input).Test plan
packages/testvitest suite locally / in CI and confirm alllocalOnlyFetchtests pass (existing 13 + 3 new = 16).assertLoopbackTargetexist in the package (it's file-private).extractRawHostis re-exported from./localUrl(already used bynormalizeLocalHttpUrlin the same package).https://claude.ai/code/session_014tiKE9KxsLy9rdhJk8qjmh
Generated by Claude Code