TASK-009: Mitigate SSRF vulnerability in blocklist URL validation
- Change BlocklistSourceCreate.url from str to AnyHttpUrl (Pydantic type)
- Rejects non-http schemes (file://, ftp://, etc.) at model boundary
- Add is_private_ip() utility to detect RFC 1918 private ranges:
- 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16 (RFC 1918)
- 127.0.0.0/8, ::1/128 (loopback)
- 169.254.0.0/16, fe80::/10 (link-local)
- IPv6 site-local, multicast, and reserved ranges
- Add async validate_blocklist_url() function:
- Resolves hostname via DNS using loop.run_in_executor()
- Rejects if hostname resolves to private/reserved IP
- Raises ValueError on validation failure
- Integrate validation into service layer:
- create_source() calls validate_blocklist_url() before persist
- update_source() conditionally validates if url provided
- Both raise ValueError on failure
- Update router endpoints with error handling:
- create_blocklist() and update_blocklist() catch ValueError
- Return HTTP 400 Bad Request with descriptive error message
- Add comprehensive test coverage (9 new SSRF tests):
- file://, ftp://, localhost, 127.0.0.1, 192.168.x.x
- 10.x.x.x, 172.16.x.x, 169.254.x.x (link-local)
- Valid public URLs (passes validation)
- All 36 service tests passing
- Update documentation:
- Features.md: Document URL validation constraints
- Backend-Development.md: Add SSRF prevention pattern section
Fixes SSRF vulnerability where authenticated users could supply
file://, ftp://, or private IP URLs and the backend would fetch them.
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Lukas
4ab767e3d4