stacklok / toolhive / 23654603071

push

github

Block Docker gateway addresses in egress proxy by default (#4395)

## Why

Containerized MCP servers can reach host services via `host.docker.internal`,
`gateway.docker.internal`, and the Docker bridge gateway IP (`172.17.0.1`).
This enables lateral movement from a compromised or malicious MCP server to
services running on the host, bypassing the container network boundary.

The existing `insecure_allow_all` permission flag does not protect against this:
users enabling it intend to open general internet access, not necessarily host
access. These are distinct threat surfaces and warrant separate opt-ins.

## What changed

The Squid egress proxy config now emits ACL deny rules for the three Docker
gateway addresses **before** any allow rules. Squid evaluates access control
in first-match-wins order, so placing the deny first ensures it cannot be
bypassed by a subsequent `http_access allow all`.

A new `--allow-docker-gateway` CLI flag (default `false`) provides an explicit
opt-in for the small number of MCP servers that legitimately need host access.
The flag threads through the full call chain:

```
--allow-docker-gateway (run_flags.go)
  → RunConfig.AllowDockerGateway (config.go)
  → runtime.Setup() (setup.go)
  → DeployWorkloadOptions.AllowDockerGateway (types.go)
  → createEgressSquidContainer() (client.go)
  → createTempEgressSquidConf() (squid.go)
```

Generated Squid config with default settings (blocking active):

```squid
acl docker_gateway_hosts dstdomain host.docker.internal gateway.docker.internal
acl docker_gateway_ip dst 172.17.0.1
http_access deny docker_gateway_hosts
http_access deny docker_gateway_ip

http_access allow all   # (or ACL-based allow rules)
http_access deny all
```

22 of 48 new or added lines in 6 files covered. (45.83%)

52495 of 80242 relevant lines covered (65.42%)

65.38 hits per line