Skip to content

guard json schema ref retrieval against internal targets#2269

Open
uwezkhan wants to merge 4 commits into
confluentinc:masterfrom
uwezkhan:json-schema-ssrf-guard
Open

guard json schema ref retrieval against internal targets#2269
uwezkhan wants to merge 4 commits into
confluentinc:masterfrom
uwezkhan:json-schema-ssrf-guard

Conversation

@uwezkhan

@uwezkhan uwezkhan commented Jun 8, 2026

Copy link
Copy Markdown
Contributor

The JSON deserializer resolves a $ref the schema registry doesn't know about by handing the raw URI to httpx.get in _retrieve_via_httpx. The writer schema is selected by the schema id embedded in the consumed message, so a producer can register a schema whose $ref points at http://169.254.169.254/..., loopback, or an RFC1918 host, and the consumer fetches it during deserialization and parses the response as a schema.

Before, any scheme and any address were fetched. After, the helper requires http/https, resolves the host, and refuses private, loopback, link-local, reserved, multicast, or unspecified targets (including IPv4-mapped IPv6); public URLs still resolve as they did. The check lives in the retrieve callback because that is the single point every $ref lookup passes through, so the sync and async paths are both covered without each caller repeating it. Tradeoff: a schema legitimately served from an internal host is now rejected and has to be reachable at a public address or registered as a named reference.

@uwezkhan uwezkhan requested review from a team and Matthew Seal (MSeal) as code owners June 8, 2026 15:07
@confluent-cla-assistant

confluent-cla-assistant Bot commented Jun 8, 2026

Copy link
Copy Markdown

🎉 All Contributor License Agreements have been signed. Ready to merge.
✅ uwezkhan
Please push an empty commit if you would like to re-run the checks to verify CLA status for all contributors.

@rayokota Robert Yokota (rayokota) added the component:schema-registry Any schema registry related isues rather than kafka isolated ones label Jun 8, 2026
@rayokota

Copy link
Copy Markdown
Member

/sem-approve

Copilot AI left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR hardens JSON Schema $ref retrieval during deserialization by adding an allowlist-style network guard in the shared external-retrieve callback, preventing SSRF-style fetches to internal/non-routable targets while preserving public URL retrieval.

Changes:

  • Add _guard_external_uri() and IP classification helpers to block non-HTTP(S) schemes and non-public resolved targets before fetching.
  • Update _retrieve_via_httpx() to apply the guard and explicitly disable redirect following.
  • Add tests validating that internal/non-HTTP(S) targets are rejected without issuing an HTTP request, and that a public-resolving host is allowed.

Reviewed changes

Copilot reviewed 2 out of 2 changed files in this pull request and generated 3 comments.

File Description
src/confluent_kafka/schema_registry/common/json_schema.py Adds URI scheme/host validation and IP-range blocking before performing external $ref retrieval.
tests/schema_registry/test_json_schema_retrieve.py Adds regression tests for allowed/blocked $ref retrieval behavior.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Comment thread src/confluent_kafka/schema_registry/common/json_schema.py Outdated
Comment thread src/confluent_kafka/schema_registry/common/json_schema.py Outdated
Comment thread tests/schema_registry/test_json_schema_retrieve.py Outdated
@uwezkhan

uwezkhan commented Jul 2, 2026

Copy link
Copy Markdown
Contributor Author

any update ?

@uwezkhan uwezkhan force-pushed the json-schema-ssrf-guard branch from 02db2c7 to ac82621 Compare July 8, 2026 16:46
@uwezkhan

uwezkhan commented Jul 8, 2026

Copy link
Copy Markdown
Contributor Author

Rebased on master and force-pushed. The last commit had a malformed committer email, which is what kept the CLA check stuck; it passes now. The rebase also restored the urlsplit import that the earlier merge of master dropped, so the guard actually runs again. No other changes, flake8 and the retrieve tests pass locally.

@rayokota

Copy link
Copy Markdown
Member

/sem-approve

@uwezkhan

uwezkhan commented Jul 9, 2026

Copy link
Copy Markdown
Contributor Author

The Semaphore failure was the style-format check: black wants the parametrize list in the new test file wrapped differently. Ran tools/style-format.sh --fix on it and pushed. Formatting only, no behavior change; flake8, mypy and the retrieve tests all pass locally. It will need another /sem-approve to rerun CI.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

component:schema-registry Any schema registry related isues rather than kafka isolated ones

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants