stacklok / toolhive / 26172416819
66%

DEFAULT BRANCH: main
Ran
Jobs 1
Files 733
Run time 2min
Badge
Embed ▾
README BADGES
x

If you need to use a raster PNG badge, change the '.svg' to '.png' in the link

Markdown

Textile

RDoc

HTML

Rst
coverage: 65.493% (-0.03%) from 65.521%
26172416819

push

github

web-flow 
Add CIMD document fetch/validate and extend SSRF protections (#5320)

* Add CIMD document fetch/validate and extend SSRF protections

Phase 2 PR 1 of CIMD embedded AS support (issue #4825).

- pkg/oauthproto/cimd.go: add ClientMetadataDocument struct,
  FetchClientMetadataDocument (HTTPS-only, 10 KB cap, 5 s timeout,
  1-hop redirect limit, per-dial SSRF check, Content-Type validation,
  strict self-referential binding), ValidateClientMetadataDocument.
  SSRF check implemented inline to preserve the oauthproto leaf-package
  invariant (no import of pkg/networking).

- pkg/networking/utilities.go: add RFC6598 CGN (100.64.0.0/10) and
  RFC5737 documentation ranges (192.0.2.0/24, 198.51.100.0/24,
  203.0.113.0/24) to the private IP block list.

- pkg/networking/http_client.go: add WithDisableKeepAlives option to
  HttpClientBuilder so callers can prevent keep-alive connection reuse
  from bypassing per-dial SSRF checks.

Co-Authored-By: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com>

* Tighten CIMD compliance — URL §3 requirements, auth methods, multicast

Verified against both draft-ietf-oauth-client-id-metadata-document and
internal RFC-0071:

- validateCIMDClientURL enforces §3 URL requirements: non-empty path
  component, no fragment, no userinfo, no dot-segments; removes the
  TODO that was deferring this validation to Phase 2

- ValidateClientMetadataDocument rejects symmetric auth methods
  (client_secret_post, client_secret_basic, client_secret_jwt) per §4.1
  of the CIMD draft

- Add IPv4 multicast (224.0.0.0/4) and IPv6 multicast (ff00::/8) to
  both pkg/networking and the oauthproto inline SSRF block list

- Update tests to use meaningful URL paths (/metadata.json); bare-root
  paths (/) now correctly fail the §3 path requirement

Note: custom CA cert support (RFC-0071 §4 server-side) is deferred to
PR 2 — FetchClientMetadataDocument will accept an optional *http.Client
allowing the storage decorator to pass a CA-aware client.

Co-Auth... (continued)

100 of 129 new or added lines in 4 files covered. (77.52%)

43 existing lines in 6 files now uncovered.

64728 of 98832 relevant lines covered (65.49%)

61.54 hits per line

Uncovered Changes

Lines Coverage File
25
75.0
 pkg/oauthproto/cimd/fetch.go
4
89.38
 -3.21% pkg/networking/http_client.go

Coverage Regressions

Lines Coverage File
12
75.09
 -4.33% pkg/client/config.go
12
67.9
 -14.81% pkg/client/discovery.go
8
23.56
 -4.6% pkg/client/manager.go
6
76.15
 -5.5% pkg/secrets/keyring/keyctl_linux.go
3
71.85
 -1.11% pkg/ignore/processor.go
2
93.94
 -6.06% pkg/foreach/foreach.go
Jobs
ID Job ID Ran Files Coverage
1 26172416819.1 733
65.49
 GitHub Action Run
Source Files on build 26172416819