TASK-009: Mitigate SSRF vulnerability in blocklist URL validation

- Change BlocklistSourceCreate.url from str to AnyHttpUrl (Pydantic type) - Rejects non-http schemes (file://, ftp://, etc.) at model boundary - Add is_private_ip() utility to detect RFC 1918 private ranges: - 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16 (RFC 1918) - 127.0.0.0/8, ::1/128 (loopback) - 169.254.0.0/16, fe80::/10 (link-local) - IPv6 site-local, multicast, and reserved ranges - Add async validate_blocklist_url() function: - Resolves hostname via DNS using loop.run_in_executor() - Rejects if hostname resolves to private/reserved IP - Raises ValueError on validation failure - Integrate validation into service layer: - create_source() calls validate_blocklist_url() before persist - update_source() conditionally validates if url provided - Both raise ValueError on failure - Update router endpoints with error handling: - create_blocklist() and update_blocklist() catch ValueError - Return HTTP 400 Bad Request with descriptive error message - Add comprehensive test coverage (9 new SSRF tests): - file://, ftp://, localhost, 127.0.0.1, 192.168.x.x - 10.x.x.x, 172.16.x.x, 169.254.x.x (link-local) - Valid public URLs (passes validation) - All 36 service tests passing - Update documentation: - Features.md: Document URL validation constraints - Backend-Development.md: Add SSRF prevention pattern section Fixes SSRF vulnerability where authenticated users could supply file://, ftp://, or private IP URLs and the backend would fetch them. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
2026-04-26 12:57:23 +02:00
parent a5b55d1248
commit 4ab767e3d4
9 changed files with 291 additions and 66 deletions
--- a/backend/app/routers/blocklist.py
+++ b/backend/app/routers/blocklist.py
@@ -97,10 +97,16 @@ async def create_blocklist(

    Returns:
        The newly created :class:`~app.models.blocklist.BlocklistSource`.
+
+    Raises:
+        HTTPException: 400 if URL validation fails.
    """
-    return await blocklist_service.create_source(
-        db, payload.name, payload.url, enabled=payload.enabled
-    )
+    try:
+        return await blocklist_service.create_source(
+            db, payload.name, str(payload.url), enabled=payload.enabled
+        )
+    except ValueError as exc:
+        raise HTTPException(status_code=status.HTTP_400_BAD_REQUEST, detail=str(exc)) from exc


 # ---------------------------------------------------------------------------
@@ -283,15 +289,19 @@ async def update_blocklist(
        _auth: Validated session — enforces authentication.

    Raises:
+        HTTPException: 400 if URL validation fails.
        HTTPException: 404 if the source does not exist.
    """
-    updated = await blocklist_service.update_source(
-        db,
-        source_id,
-        name=payload.name,
-        url=payload.url,
-        enabled=payload.enabled,
-    )
+    try:
+        updated = await blocklist_service.update_source(
+            db,
+            source_id,
+            name=payload.name,
+            url=str(payload.url) if payload.url is not None else None,
+            enabled=payload.enabled,
+        )
+    except ValueError as exc:
+        raise HTTPException(status_code=status.HTTP_400_BAD_REQUEST, detail=str(exc)) from exc
    if updated is None:
        raise HTTPException(status_code=status.HTTP_404_NOT_FOUND, detail="Blocklist source not found.")
    return updated