Hynes/Void-Homelab
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

fix(workers): safe_fetch pins IP + manual redirect re-validation

Browse Source 
Two real findings from the security reviewer:

1. urllib auto-follows 3xx redirects via the default HTTPRedirectHandler.
   The previous code's hop loop never ran — urllib silently followed.
   Replaced with http.client + a manual hop loop. Every hop re-runs
   _validate_url, so an open-redirect to 127.0.0.1 / RFC1918 / metadata
   gets caught on the second hop.

2. DNS TOCTOU — _resolve() validated but urllib.request re-resolved on
   connect. Now the connection is pinned to the validated IP via a
   PinnedHTTPConn / PinnedHTTPSConn subclass that overrides connect() to
   bind socket.create_connection to (addr, port). For HTTPS, TLS
   server_hostname is set to the original host so SNI + cert
   verification still work against the named host while the TCP
   destination is the pinned IP.

Tests added: redirect-to-loopback short-circuits at validation;
too-many-redirects exhausts max_hops; 2xx returns body; non-2xx raises.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
This commit is contained in:
root
2026-06-01 10:28:55 +10:00
parent 7707b7eb00
commit a8b2cddcf5
2 changed files with 165 additions and 37 deletions
Download Patch File Download Diff File Expand all files Collapse all files

66
workers/tests/test_safe_fetch.py
View File

@@ -1,5 +1,6 @@
import pytest
from void_workers.safe_fetch import safe_fetch, SafeFetchError
from unittest.mock import patch, MagicMock
from void_workers.safe_fetch import safe_fetch, SafeFetchError, _validate_url
def test_rejects_file_scheme():
@@ -25,3 +26,66 @@ def test_rejects_metadata_endpoint():
def test_rejects_cgnat():
with pytest.raises(SafeFetchError):
safe_fetch("http://100.64.0.1/x")
def test_redirect_to_loopback_is_rejected():
"""Open-redirect attack: a public URL 302s to http://127.0.0.1/.
The loop re-runs full validation on the next hop, so the redirect
target's literal IP triggers _validate_url and raises."""
redirect_headers = MagicMock()
redirect_headers.get.return_value = "http://127.0.0.1/admin"
call_count = {"n": 0}
def side_effect(url, **_kw):
call_count["n"] += 1
if call_count["n"] == 1:
# First hop: 302 to a blocked address.
return (302, redirect_headers, b"")
# Second hop: should never reach _request_one because _validate_url
# in _request_one will raise before issuing the request.
raise AssertionError("second hop was issued — validation bypassed!")
# Patch _request_one to short-circuit only the FIRST hop's network IO.
# The second hop's call still goes through the real _request_one which
# invokes the real _validate_url — that's where the blocked-IP error
# comes from.
import void_workers.safe_fetch as sf
real_request_one = sf._request_one
def hybrid(url, **kw):
if call_count["n"] == 0:
return side_effect(url, **kw)
return real_request_one(url, **kw)
with patch.object(sf, "_request_one", side_effect=hybrid):
with pytest.raises(SafeFetchError, match="blocked"):
safe_fetch("http://example.com/")
def test_too_many_redirects():
redirect_headers = MagicMock()
redirect_headers.get.return_value = "http://example.com/loop"
with patch("void_workers.safe_fetch._request_one",
return_value=(302, redirect_headers, b"")):
with pytest.raises(SafeFetchError, match="too many redirects"):
safe_fetch("http://example.com/loop", max_hops=2)
def test_validate_url_returns_pinned_address_for_literal_public_ip():
scheme, host, port, path, addr, family = _validate_url("http://8.8.8.8:80/x")
assert host == "8.8.8.8"
assert addr == "8.8.8.8"
assert port == 80
def test_2xx_returns_body():
headers = MagicMock()
with patch("void_workers.safe_fetch._request_one",
return_value=(200, headers, b"hello")):
assert safe_fetch("http://example.com/x") == b"hello"
def test_non_2xx_raises():
headers = MagicMock()
with patch("void_workers.safe_fetch._request_one",
return_value=(500, headers, b"err")):
with pytest.raises(SafeFetchError, match="http 500"):
safe_fetch("http://example.com/x")

136
workers/void_workers/safe_fetch.py
View File

@@ -1,18 +1,22 @@
"""Python port of lib/ingest/safe_fetch.js.
"""SSRF-safe HTTP client used by sync.source_doc (and any future workers).
Same SSRF mitigations the Node side ships:
Same contract as lib/ingest/safe_fetch.js on the Node side:
- http/https only
- DNS-resolved hostnames checked against loopback / RFC1918 /
link-local / CGNAT / IPv6 ULA + link-local
- Redirects followed manually with the same checks on each hop
- VOID_INGEST_ALLOW_PRIVATE=true gate for offline-fixture tests
- DNS-resolve and reject loopback / RFC1918 / link-local / CGNAT / metadata /
IPv6 ULA + link-local
- Pin the validated IP into the connection so a rebind between our DNS check
and the TCP connect cannot point us at an internal address.
- Follow redirects MANUALLY, re-validating every hop. We disable urllib's
built-in redirect handler so it cannot silently auto-follow.
- `VOID_INGEST_ALLOW_PRIVATE=true` gate for offline-fixture tests.
"""
import socket
import http.client
import ipaddress
import urllib.request
import urllib.error
import os
from urllib.parse import urlparse
import socket
import ssl
import urllib.parse
BLOCK_V4_NETS = [ipaddress.ip_network(c) for c in [
"0.0.0.0/8", "127.0.0.0/8", "10.0.0.0/8",
@@ -42,41 +46,101 @@ def _is_blocked(addr):
return False
def _resolve(host):
def _resolve_validated(host):
"""Resolve the host and return (address, family). Raises if any returned
address is in a blocked range."""
try:
infos = socket.getaddrinfo(host, None)
except socket.gaierror as e:
raise SafeFetchError(f"no DNS for {host}: {e}")
addrs = list({i[4][0] for i in infos})
for a in addrs:
if _is_blocked(a):
raise SafeFetchError(f"{host} resolves to blocked address {a}")
addrs = {(i[4][0], i[0]) for i in infos} # de-dupe
if not addrs:
raise SafeFetchError(f"no addresses for {host}")
return addrs[0]
for a, _fam in addrs:
if _is_blocked(a):
raise SafeFetchError(f"{host} resolves to blocked address {a}")
# Pick the first record. Caller pins this exact IP into the socket.
address, family = next(iter(addrs))
return address, family
def _validate_url(url):
"""Returns (scheme, hostname, port, path-with-query, pinned_addr, family)."""
u = urllib.parse.urlparse(url)
if u.scheme not in ("http", "https"):
raise SafeFetchError(f"unsupported scheme {u.scheme}")
host = u.hostname
if not host:
raise SafeFetchError(f"no hostname in {url}")
# Literal IP path
try:
ipaddress.ip_address(host)
if _is_blocked(host):
raise SafeFetchError(f"blocked literal IP {host}")
addr, family = host, (socket.AF_INET6 if ":" in host else socket.AF_INET)
except ValueError:
addr, family = _resolve_validated(host)
port = u.port or (443 if u.scheme == "https" else 80)
path = (u.path or "/") + (("?" + u.query) if u.query else "")
return u.scheme, host, port, path, addr, family
def _request_one(url, *, headers, timeout):
"""Issue one HTTP request with the IP pinned. Returns
(status, headers_obj, body_bytes). Does NOT follow redirects."""
scheme, host, port, path, addr, family = _validate_url(url)
# Build a socket bound to the validated IP. http.client lets us pass a
# custom socket via a connection subclass.
class PinnedHTTPConn(http.client.HTTPConnection):
def connect(self):
self.sock = socket.create_connection(
(addr, port), timeout=timeout,
source_address=None
)
class PinnedHTTPSConn(http.client.HTTPSConnection):
def connect(self):
sock = socket.create_connection(
(addr, port), timeout=timeout
)
ctx = ssl.create_default_context()
# TLS SNI + cert verification against the original hostname,
# while the TCP connection is pinned to the validated IP.
self.sock = ctx.wrap_socket(sock, server_hostname=host)
if scheme == "https":
conn = PinnedHTTPSConn(host, port, timeout=timeout)
else:
conn = PinnedHTTPConn(host, port, timeout=timeout)
try:
req_headers = {"Host": host, **(headers or {})}
conn.request("GET", path, headers=req_headers)
resp = conn.getresponse()
body = resp.read()
return resp.status, resp.headers, body
finally:
conn.close()
def safe_fetch(url, *, headers=None, timeout=15, max_hops=5):
"""GET `url` with SSRF mitigations. Returns body bytes on 2xx, raises on
non-2xx (after exhausting redirect budget)."""
current = url
for hop in range(max_hops + 1):
u = urlparse(current)
if u.scheme not in ("http", "https"):
raise SafeFetchError(f"unsupported scheme {u.scheme}")
host = u.hostname
try:
ipaddress.ip_address(host)
if _is_blocked(host):
raise SafeFetchError(f"blocked literal IP {host}")
except ValueError:
_resolve(host)
req = urllib.request.Request(current, headers=headers or {})
try:
opener = urllib.request.build_opener()
with opener.open(req, timeout=timeout) as r:
return r.read()
except urllib.error.HTTPError as e:
if e.code in (301, 302, 303, 307, 308) and "Location" in e.headers and hop < max_hops:
current = e.headers["Location"]
continue
raise
status, resp_headers, body = _request_one(
current, headers=headers, timeout=timeout
)
if status in (301, 302, 303, 307, 308):
loc = resp_headers.get("Location")
if not loc:
raise SafeFetchError("redirect without Location")
if hop >= max_hops:
raise SafeFetchError(f"too many redirects ({max_hops})")
# Resolve relative redirects + re-validate on the next loop pass.
current = urllib.parse.urljoin(current, loc)
continue
if 200 <= status < 300:
return body
raise SafeFetchError(f"http {status} from {current}")
raise SafeFetchError(f"too many redirects ({max_hops})")