stacklok / toolhive / 28087037781
67%

DEFAULT BRANCH: main
Ran
Jobs 1
Files 763
Run time 2min
Badge
Embed ▾
README BADGES
x

If you need to use a raster PNG badge, change the '.svg' to '.png' in the link

Markdown

Textile

RDoc

HTML

Rst
coverage: 67.184% (+0.08%) from 67.1%
28087037781

push

github

web-flow 
Merge commit from fork

* Guard auth-discovery HTTP clients against redirect SSRF

The remote MCP server auth-discovery clients followed HTTP redirects with
no host or scheme restriction. A malicious server could return a 30x that
pointed the host-side request at an internal address (cloud IMDS, RFC1918
services), turning discovery into an SSRF (CWE-918). This is the one
outbound path that never received the redirect guards already applied to
the transparent proxy, the DCR resolver, and the CIMD fetch.

Add networking.SameHostRedirectPolicy: a CheckRedirect that follows only
same-host (host:port) redirects, refuses HTTPS->HTTP downgrades, and caps
the chain at MaxRedirects, mirroring the transparent-proxy data-path guard.
Install it on the three discovery sinks: DetectAuthenticationFromServer,
FetchResourceMetadata, and the DiscoverActualIssuer default client. Rewrite
the three #nosec G704 rationale comments that asserted the URL was trusted
internal config; the URL is server-controlled and is now contained by the
redirect policy.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>

* Block private-IP discovery fetches for public targets

The redirect guard stops a malicious server using a 30x to reach an
internal address, but a server can still name a private address directly
in the WWW-Authenticate resource_metadata parameter or a discovered issuer
URL, so the host issues that first-hop GET with no address filtering.

Gate a dial-time private-IP block on whether the operator-configured target
is public. TargetIsPrivate resolves the target host; when it is public, the
server-influenced fetches (resource_metadata, realm-derived issuer,
authorization_servers, well-known) refuse to dial private, loopback, or
link-local addresses on every hop via NewPrivateIPBlockingDialContext. When
the operator deliberately targets an internal server the block is disabled,
so legitimately-internal auth metadata stays reachable and no internal
deployment regresses.... (continued)

101 of 106 new or added lines in 5 files covered. (95.28%)

14 existing lines in 5 files now uncovered.

69662 of 103689 relevant lines covered (67.18%)

66.42 hits per line

Uncovered Changes

Lines Coverage File
5
91.18
 -1.97% pkg/networking/utilities.go

Coverage Regressions

Lines Coverage File
4
67.04
 4.92% pkg/workloads/manager.go
3
71.85
 -1.11% pkg/ignore/processor.go
3
64.29
 -4.29% pkg/state/runconfig.go
2
93.94
 -6.06% pkg/foreach/foreach.go
2
82.29
 -0.21% pkg/vmcp/composer/workflow_engine.go
Jobs
ID Job ID Ran Files Coverage
1 28087037781.1 763
67.18
 GitHub Action Run
Source Files on build 28087037781