feat: US-110 - Add SSRF protection — block private IPs and validate redirects

Author: NathanFlurry

packages/secure-exec-node/src/driver.ts

@@ -1,5 +1,6 @@
 import * as dns from "node:dns";
 import * as fs from "node:fs/promises";
+import * as net from "node:net";
 import type { AddressInfo } from "node:net";
 import * as http from "node:http";
 import * as https from "node:https";
@@ -180,6 +181,76 @@ function normalizeLoopbackHostname(hostname?: string): string {
 	);
 }
 
+/** Check whether an IP address falls in a private/reserved range (SSRF protection). */
+export function isPrivateIp(ip: string): boolean {
+	// Normalize IPv4-mapped IPv6 (::ffff:a.b.c.d → a.b.c.d)
+	const normalized = ip.startsWith("::ffff:") ? ip.slice(7) : ip;
+
+	if (net.isIPv4(normalized)) {
+		const parts = normalized.split(".").map(Number);
+		const [a, b] = parts;
+		return (
+			a === 10 ||                                  // 10.0.0.0/8
+			(a === 172 && b >= 16 && b <= 31) ||         // 172.16.0.0/12
+			(a === 192 && b === 168) ||                   // 192.168.0.0/16
+			a === 127 ||                                  // 127.0.0.0/8
+			(a === 169 && b === 254) ||                   // 169.254.0.0/16 (link-local)
+			a === 0 ||                                    // 0.0.0.0/8
+			(a >= 224 && a <= 239) ||                     // 224.0.0.0/4 (multicast)
+			(a >= 240)                                    // 240.0.0.0/4 (reserved)
+		);
+	}
+
+	if (net.isIPv6(normalized)) {
+		const lower = normalized.toLowerCase();
+		return (
+			lower === "::1" ||                            // loopback
+			lower === "::" ||                             // unspecified
+			lower.startsWith("fc") ||                     // fc00::/7 (ULA)
+			lower.startsWith("fd") ||                     // fc00::/7 (ULA)
+			lower.startsWith("fe80") ||                   // fe80::/10 (link-local)
+			lower.startsWith("ff")                        // ff00::/8 (multicast)
+		);
+	}
+
+	return false;
+}
+
+/** Resolve hostname to IP and block private/reserved ranges (SSRF protection). */
+async function assertNotPrivateHost(url: string): Promise<void> {
+	const parsed = new URL(url);
+	// Non-network schemes don't need SSRF checks
+	if (parsed.protocol === "data:" || parsed.protocol === "blob:") return;
+
+	const hostname = parsed.hostname;
+	// Strip brackets from IPv6 literals
+	const bare = hostname.startsWith("[") && hostname.endsWith("]")
+		? hostname.slice(1, -1)
+		: hostname;
+
+	// If hostname is already an IP literal, check directly
+	if (net.isIP(bare)) {
+		if (isPrivateIp(bare)) {
+			throw new Error(`SSRF blocked: ${hostname} resolves to private IP`);
+		}
+		return;
+	}
+
+	// Resolve DNS and check all addresses
+	const address = await new Promise<string>((resolve, reject) => {
+		dns.lookup(bare, (err, addr) => {
+			if (err) reject(err);
+			else resolve(addr);
+		});
+	});
+
+	if (isPrivateIp(address)) {
+		throw new Error(`SSRF blocked: ${hostname} resolves to private IP ${address}`);
+	}
+}
+
+const MAX_REDIRECTS = 20;
+
 /**
  * Create a Node.js network adapter that provides real fetch, DNS, HTTP client,
  * and loopback-only HTTP server support. Binary responses are base64-encoded
@@ -286,42 +357,68 @@ export function createDefaultNetworkAdapter(): NetworkAdapter {
 		},
 
 		async fetch(url, options) {
-			const response = await fetch(url, {
-				method: options?.method || "GET",
-				headers: options?.headers,
-				body: options?.body,
-			});
-			const headers: Record<string, string> = {};
-			response.headers.forEach((v, k) => {
-				headers[k] = v;
-			});
+			// SSRF: validate initial URL and manually follow redirects
+			let currentUrl = url;
+			let redirected = false;
+
+			for (let i = 0; i <= MAX_REDIRECTS; i++) {
+				await assertNotPrivateHost(currentUrl);
+
+				const response = await fetch(currentUrl, {
+					method: options?.method || "GET",
+					headers: options?.headers,
+					body: options?.body,
+					redirect: "manual",
+				});
+
+				// Follow redirects with re-validation
+				const status = response.status;
+				if (status === 301 || status === 302 || status === 303 || status === 307 || status === 308) {
+					const location = response.headers.get("location");
+					if (!location) break;
+					currentUrl = new URL(location, currentUrl).href;
+					redirected = true;
+					// POST→GET for 301/302/303
+					if (status === 301 || status === 302 || status === 303) {
+						options = { ...options, method: "GET", body: undefined };
+					}
+					continue;
+				}
+
+				const headers: Record<string, string> = {};
+				response.headers.forEach((v, k) => {
+					headers[k] = v;
+				});
 
-			delete headers["content-encoding"];
-
-			const contentType = response.headers.get("content-type") || "";
-			const isBinary =
-				contentType.includes("octet-stream") ||
-				contentType.includes("gzip") ||
-				url.endsWith(".tgz");
-
-			let body: string;
-			if (isBinary) {
-				const buffer = await response.arrayBuffer();
-				body = Buffer.from(buffer).toString("base64");
-				headers["x-body-encoding"] = "base64";
-			} else {
-				body = await response.text();
+				delete headers["content-encoding"];
+
+				const contentType = response.headers.get("content-type") || "";
+				const isBinary =
+					contentType.includes("octet-stream") ||
+					contentType.includes("gzip") ||
+					currentUrl.endsWith(".tgz");
+
+				let body: string;
+				if (isBinary) {
+					const buffer = await response.arrayBuffer();
+					body = Buffer.from(buffer).toString("base64");
+					headers["x-body-encoding"] = "base64";
+				} else {
+					body = await response.text();
+				}
+
+				return {
+					ok: response.ok,
+					status: response.status,
+					statusText: response.statusText,
+					headers,
+					body,
+					url: currentUrl,
+					redirected,
+				};
 			}
 
-			return {
-				ok: response.ok,
-				status: response.status,
-				statusText: response.statusText,
-				headers,
-				body,
-				url: response.url,
-				redirected: response.redirected,
-			};
+			throw new Error("Too many redirects");
 		},
 
 		async dnsLookup(hostname) {
@@ -337,6 +434,9 @@ export function createDefaultNetworkAdapter(): NetworkAdapter {
 		},
 
 		async httpRequest(url, options) {
+			// SSRF: block requests to private/reserved IPs
+			await assertNotPrivateHost(url);
+
 			return new Promise((resolve, reject) => {
 				const urlObj = new URL(url);
 				const isHttps = urlObj.protocol === "https:";

packages/secure-exec-node/src/index.ts

@@ -36,6 +36,7 @@ export {
 	createNodeRuntimeDriverFactory,
 	NodeFileSystem,
 	filterEnv,
+	isPrivateIp,
 } from "./driver.js";
 export type {
 	NodeDriverOptions,

packages/secure-exec/src/node/driver.ts

@@ -6,6 +6,7 @@ export {
 	NodeFileSystem,
 	NodeExecutionDriver,
 	filterEnv,
+	isPrivateIp,
 } from "@secure-exec/node";
 export type {
 	NodeDriverOptions,

packages/secure-exec/tests/runtime-driver/node/ssrf-protection.test.ts

@@ -0,0 +1,165 @@
+import { afterEach, describe, expect, it, vi } from "vitest";
+import { createDefaultNetworkAdapter } from "../../../src/index.js";
+import { isPrivateIp } from "../../../src/node/driver.js";
+
+describe("SSRF protection", () => {
+	// ---------------------------------------------------------------
+	// isPrivateIp — unit coverage for all reserved ranges
+	// ---------------------------------------------------------------
+
+	describe("isPrivateIp", () => {
+		it.each([
+			["10.0.0.1", true],          // 10.0.0.0/8
+			["10.255.255.255", true],
+			["172.16.0.1", true],         // 172.16.0.0/12
+			["172.31.255.255", true],
+			["172.15.0.1", false],        // just below range
+			["172.32.0.1", false],        // just above range
+			["192.168.0.1", true],        // 192.168.0.0/16
+			["192.168.255.255", true],
+			["127.0.0.1", true],          // 127.0.0.0/8
+			["127.255.255.255", true],
+			["169.254.169.254", true],    // 169.254.0.0/16 (link-local / metadata)
+			["169.254.0.1", true],
+			["0.0.0.0", true],            // 0.0.0.0/8
+			["224.0.0.1", true],          // multicast
+			["239.255.255.255", true],
+			["240.0.0.1", true],          // reserved
+			["255.255.255.255", true],
+			["8.8.8.8", false],           // public
+			["1.1.1.1", false],
+			["142.250.80.46", false],     // google
+		])("IPv4 %s → %s", (ip, expected) => {
+			expect(isPrivateIp(ip)).toBe(expected);
+		});
+
+		it.each([
+			["::1", true],               // loopback
+			["::", true],                // unspecified
+			["fc00::1", true],            // ULA fc00::/7
+			["fd12:3456::1", true],       // ULA fd
+			["fe80::1", true],            // link-local
+			["ff02::1", true],            // multicast
+			["2607:f8b0:4004::1", false], // public (google)
+		])("IPv6 %s → %s", (ip, expected) => {
+			expect(isPrivateIp(ip)).toBe(expected);
+		});
+
+		it("detects IPv4-mapped IPv6 addresses", () => {
+			expect(isPrivateIp("::ffff:10.0.0.1")).toBe(true);
+			expect(isPrivateIp("::ffff:169.254.169.254")).toBe(true);
+			expect(isPrivateIp("::ffff:8.8.8.8")).toBe(false);
+		});
+	});
+
+	// ---------------------------------------------------------------
+	// Network adapter SSRF blocking
+	// ---------------------------------------------------------------
+
+	describe("network adapter blocks private IPs", () => {
+		const adapter = createDefaultNetworkAdapter();
+
+		it("fetch blocks metadata endpoint 169.254.169.254", async () => {
+			await expect(
+				adapter.fetch("http://169.254.169.254/latest/meta-data/", {}),
+			).rejects.toThrow(/SSRF blocked/);
+		});
+
+		it("fetch blocks 10.x private range", async () => {
+			await expect(
+				adapter.fetch("http://10.0.0.1/internal", {}),
+			).rejects.toThrow(/SSRF blocked/);
+		});
+
+		it("fetch blocks 192.168.x private range", async () => {
+			await expect(
+				adapter.fetch("http://192.168.1.1/admin", {}),
+			).rejects.toThrow(/SSRF blocked/);
+		});
+
+		it("httpRequest blocks metadata endpoint 169.254.169.254", async () => {
+			await expect(
+				adapter.httpRequest("http://169.254.169.254/latest/meta-data/", {}),
+			).rejects.toThrow(/SSRF blocked/);
+		});
+
+		it("httpRequest blocks localhost", async () => {
+			await expect(
+				adapter.httpRequest("http://127.0.0.1:9999/", {}),
+			).rejects.toThrow(/SSRF blocked/);
+		});
+
+		it("fetch allows data: URLs (no network)", async () => {
+			const result = await adapter.fetch("data:text/plain,ssrf-test-ok", {});
+			expect(result.ok).toBe(true);
+			expect(result.body).toContain("ssrf-test-ok");
+		});
+	});
+
+	// ---------------------------------------------------------------
+	// Redirect-to-private-IP blocking
+	// ---------------------------------------------------------------
+
+	describe("redirect to private IP is blocked", () => {
+		afterEach(() => {
+			vi.restoreAllMocks();
+		});
+
+		it("fetch blocks 302 redirect to private IP", async () => {
+			// Mock global fetch to simulate a 302 redirect to a private IP
+			const originalFetch = globalThis.fetch;
+			const mockFetch = vi.fn().mockResolvedValueOnce(
+				new Response(null, {
+					status: 302,
+					headers: { location: "http://169.254.169.254/latest/meta-data/" },
+				}),
+			);
+			vi.stubGlobal("fetch", mockFetch);
+
+			const adapter = createDefaultNetworkAdapter();
+			// Use a public-looking IP so the initial check passes
+			await expect(
+				adapter.fetch("http://8.8.8.8/redirect", {}),
+			).rejects.toThrow(/SSRF blocked/);
+
+			vi.stubGlobal("fetch", originalFetch);
+		});
+
+		it("fetch blocks 307 redirect to 10.x range", async () => {
+			const originalFetch = globalThis.fetch;
+			const mockFetch = vi.fn().mockResolvedValueOnce(
+				new Response(null, {
+					status: 307,
+					headers: { location: "http://10.0.0.1/internal-api" },
+				}),
+			);
+			vi.stubGlobal("fetch", mockFetch);
+
+			const adapter = createDefaultNetworkAdapter();
+			await expect(
+				adapter.fetch("http://8.8.8.8/redirect", {}),
+			).rejects.toThrow(/SSRF blocked/);
+
+			vi.stubGlobal("fetch", originalFetch);
+		});
+	});
+
+	// ---------------------------------------------------------------
+	// DNS rebinding — documented as known limitation
+	// ---------------------------------------------------------------
+
+	describe("DNS rebinding", () => {
+		it("known limitation: DNS rebinding after initial check is not blocked at the adapter level", () => {
+			// DNS rebinding attacks involve a hostname that resolves to a safe public IP
+			// on the first lookup (passing the SSRF check) but resolves to a private IP on
+			// the subsequent connection. Fully mitigating this requires either:
+			//   - Pinning the resolved IP for the connection (not possible with native fetch)
+			//   - Using a custom DNS resolver with caching and TTL enforcement
+			//
+			// This is documented as a known limitation. The pre-flight DNS check still
+			// provides defense in depth against most SSRF vectors including direct IP
+			// access, redirect-based attacks, and static DNS entries.
+			expect(true).toBe(true);
+		});
+	});
+});