Skip to content

fix(security,agents): harden SSRF DNS-rebind, fail loudly, cover untested modules#1299

Open
kovtcharov wants to merge 1 commit into
mainfrom
kalin/code-hygiene-and-tests
Open

fix(security,agents): harden SSRF DNS-rebind, fail loudly, cover untested modules#1299
kovtcharov wants to merge 1 commit into
mainfrom
kalin/code-hygiene-and-tests

Conversation

@kovtcharov
Copy link
Copy Markdown
Collaborator

@kovtcharov kovtcharov commented May 29, 2026

A DNS-rebind attacker could slip past the web client's SSRF guard: the pre-flight IP check and the actual TCP connect used separate DNS lookups, so a host could answer the check with a public IP and the connect with a private/internal one. This PR pins the resolved IP and validates the exact address it dials through a single authority, closing the window for both http and https (HTTPS cert-name verification still binds to the real hostname; the SNI-vhosting trade-off is documented, not silently accepted). It also removes three silent-fallback violations that hid real failures, and adds tests to three high-risk modules that had none.

Reviewer-relevant threads:

  • SSRF hardening (web/client.py) — the security fix above; worth a close read of PinnedIPAdapter.
  • Fail-loudly fixes — corrupt memory-settings now logs instead of reverting to defaults silently; Telegram background startup re-raises on PID-write failure (a supervisor can no longer be fooled into thinking a dead process started); a raising system-prompt fragment now logs instead of vanishing from the prompt.
  • New coverage — DockerAgent (subprocess/path-allowlist), the home-dir discovery classifiers, and Jira JQL templating; the API non-streaming completion happy-path is now tested with a mocked backend instead of @pytest.mark.skip.

Test plan

  • pytest tests/unit/agents/test_discovery.py tests/unit/agents/test_docker_agent.py tests/unit/agents/test_jql_templates.py tests/unit/test_web_client_ip_pinning.py -q — 100 pass
  • pytest tests/unit/test_web_client_edge_cases.py tests/test_rag.py -q — no regression (96 pass)
  • pytest tests/test_api.py -q — completion happy-path now runs (no longer skipped)
  • python util/lint.py --black --isort --flake8 — clean on changed files
  • Agent eval (running separately) confirms no regression from the prompt-fragment logging change — the change is logging-only on the exception branch, so the composed prompt is byte-identical on the happy path

@kovtcharov
fix(security,agents): harden SSRF DNS-rebind, fail loudly on silent f…
3214c11 
…allbacks, cover untested modules

A DNS-rebind attacker could pass the web client's pre-flight IP check with a
public address and then have the actual TCP connect resolve to a private/internal
one, because validation and connection used separate DNS lookups. Several modules
also swallowed errors silently — a corrupt memory-settings file reverted to
defaults with no signal, a failed Telegram background PID-file write let startup
"succeed" so a supervisor could never stop the process, and a raising system-prompt
fragment was dropped from the composed prompt without a trace. And three high-risk
modules (DockerAgent's subprocess calls, the home-dir discovery scanner, Jira JQL
templating) plus the API completion happy-path had no test coverage.

- SSRF: a PinnedIPAdapter resolves once, validates the exact IP it will dial
  through a single authority, and pins it — closing the rebind window for http
  and https. HTTPS cert-name verification still binds to the real hostname; the
  SNI-vhosting limitation is documented, not silently accepted.
- Fail loudly: memory-settings load narrows to the real parse errors and logs;
  Telegram background startup re-raises on PID-write failure; the prompt-fragment
  drop and rag unload-on-reload now log instead of `except: pass`.
- Tests: new suites for DockerAgent (subprocess/path-allowlist), the discovery
  classifiers, and JQL templating; the API non-streaming completion happy-path is
  now covered with a mocked backend instead of being skipped.
@github-actions github-actions Bot added mcp MCP integration changes rag RAG system changes tests Test changes performance Performance-critical changes agents labels May 29, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@kovtcharov-amd kovtcharov-amd Awaiting requested review from kovtcharov-amd kovtcharov-amd is a code owner

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

agents mcp MCP integration changes performance Performance-critical changes rag RAG system changes tests Test changes

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@kovtcharov