fix: SSRF security hardening#1754
Open
paustint wants to merge 1 commit into
Open
Conversation
Tighten up validation for sso network requests Improve url validation for user-provided manual request endpoints Strip unnecessary headers when proxying request to Salesforce
Contributor
There was a problem hiding this comment.
Pull request overview
This PR hardens several SSRF/credential-exfiltration sinks by (1) validating and pinning outbound connections to pre-validated public IPs to mitigate DNS rebinding TOCTOU, and (2) ensuring caller-controlled Salesforce request paths cannot escape the org’s instance origin.
Changes:
- Add hostname resolution that returns validated public IPs and an undici dispatcher that pins connections to those validated IPs.
- Enforce same-origin + HTTPS resolution for Salesforce callouts, and tighten API input validation to host-relative paths for SSRF-prone endpoints.
- Switch OIDC discovery/token/userinfo fetches and SAML metadata/file verification fetches to use pinned dispatchers where appropriate.
Reviewed changes
Copilot reviewed 8 out of 8 changed files in this pull request and generated 3 comments.
Show a summary per file
| File | Description |
|---|---|
| libs/shared/node-utils/src/lib/network.utils.ts | Adds validated DNS resolution + pinned undici dispatcher to prevent DNS rebinding TOCTOU. |
| libs/shared/node-utils/src/lib/tests/network.utils.spec.ts | Adds unit tests for validated IP resolution helper. |
| libs/salesforce-api/src/lib/callout-adapter.ts | Adds same-origin/HTTPS URL resolution guard before attaching Salesforce session credentials. |
| libs/salesforce-api/src/lib/tests/callout-adapter.spec.ts | Adds tests for same-origin URL resolution + ensures fetch is not called on escape attempts. |
| libs/auth/server/src/lib/oidc.service.ts | Routes oauth4webapi traffic through a pinned custom fetch to close DNS rebinding window. |
| apps/api/src/app/controllers/team.controller.ts | Pins SAML metadata fetch hops and domain verification file fetches to validated public IPs. |
| apps/api/src/app/controllers/sf-misc.controller.ts | Tightens url validation for SSRF-prone Salesforce proxy endpoints to host-relative paths. |
| apps/api/src/app/controllers/tests/team.controller.spec.ts | Updates mocks/assertions for new pinned-dispatcher behavior in fetchSamlMetadata. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
Comment on lines
+159
to
+164
| for (const { address } of validatedAddresses) { | ||
| if (isPrivateOrReservedIp(address)) { | ||
| callback(new Error('Hostname resolves to a private or reserved IP address'), ''); | ||
| return; | ||
| } | ||
| } |
Comment on lines
+166
to
+173
| if (options.all) { | ||
| callback(null, validatedAddresses); | ||
| return; | ||
| } | ||
|
|
||
| const [first] = validatedAddresses; | ||
| callback(null, first.address, first.family); | ||
| }; |
Comment on lines
+26
to
+39
| function createPinnedCustomFetch(): OidcCustomFetch { | ||
| return async (url, options) => { | ||
| const fetchInit: RequestInit & { dispatcher?: Dispatcher } = { | ||
| body: options.body, | ||
| headers: options.headers, | ||
| method: options.method, | ||
| redirect: options.redirect, | ||
| signal: options.signal, | ||
| }; | ||
| if (ENV.USE_SECURE_COOKIES) { | ||
| fetchInit.dispatcher = await createPinnedPublicIpDispatcher(new URL(url).hostname); | ||
| } | ||
| return fetch(url, fetchInit); | ||
| }; |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Tighten up validation for sso network requests
Improve url validation for user-provided manual request endpoints
Strip unnecessary headers when proxying request to Salesforce