• Home
  • Features
  • Pricing
  • Docs
  • Announcements
  • Sign In

stacklok / toolhive / 29531355551
68%

Build:
DEFAULT BRANCH: main
Ran 16 Jul 2026 08:22PM UTC
Jobs 1
Files 799
Run time 2min
Badge
Embed ▾
README BADGES
x

If you need to use a raster PNG badge, change the '.svg' to '.png' in the link

Markdown

Textile

RDoc

HTML

Rst

16 Jul 2026 08:16PM UTC coverage: 68.172% (+3.0%) from 65.162%
29531355551

push

github

web-flow
Guard upstream-DCR HTTP calls against SSRF (#5826)

* Guard upstream-DCR HTTP calls against SSRF

The DCR resolver dialed both the discovery URL and the registration
endpoint with HTTP clients that had no private-IP protection, and gave
callers no way to supply a guarded client. A DCR upstream was therefore
an SSRF vector (CWE-918) even when the caller validated the configured
URL up front: a discovery document could point registration_endpoint at
an in-cluster service or a link-local metadata address, and a validated
endpoint could rebind to a private address at dial time.

Mirror the OAuth2/OIDC upstream posture (safe-by-default):

- Add networking.NewHostScopedClientBuilder as the single source of
  truth for the host-scoped guard policy, and refactor the upstream
  provider's newHTTPClientForHost to delegate to it so the two paths
  cannot drift.
- Dial both resolver outbound calls through a private-IP-guarded client
  with keep-alives disabled, preserving the existing redirect-refusal
  and bearer-token layering on the registration client.
- Add AllowPrivateIPs to dcr.Request as the explicit opt-in for
  in-cluster upstreams, wired from OAuth2UpstreamRunConfig.AllowPrivateIPs
  so DCR shares the upstream's private-IP posture.

Closes #5825

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>

* Address code review feedback

Fixed issues from code review:
- MEDIUM: Install SameHostRedirectPolicy on the DCR discovery client so a
  malicious upstream 30x cannot walk the metadata fetch onto another host
  (the registration client already refuses all redirects).
- MEDIUM: Thread the private-IP decision into the CLI DCR consumer via
  OAuthFlowConfig.AllowPrivateIPs, wired from the existing TargetIsPrivate
  model at both CLI entrypoints, so a CLI pointed at a private remote is no
  longer newly refused on DCR while a public remote stays guarded.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>

* Close remaining SSRF guard gaps in CLI DCR ... (continued)

103 of 145 new or added lines in 9 files covered. (71.03%)

10 existing lines in 3 files now uncovered.

73973 of 108510 relevant lines covered (68.17%)

64.97 hits per line

Uncovered Changes

Lines Coverage ∆ File
20
9.63
-0.05% cmd/thv/app/proxy.go
15
86.95
-2.05% pkg/auth/dcr/resolver.go
4
83.7
0.31% pkg/auth/discovery/discovery.go
3
51.14
6.38% pkg/auth/remote/handler.go

Coverage Regressions

Lines Coverage ∆ File
7
90.71
-3.83% pkg/oauthproto/discovery.go
2
93.94
-6.06% pkg/foreach/foreach.go
1
86.95
-2.05% pkg/auth/dcr/resolver.go
Jobs
ID Job ID Ran Files Coverage
1 29531355551.1 16 Jul 2026 08:22PM UTC 799
68.17
GitHub Action Run
Source Files on build 29531355551
  • Tree
  • List 799
  • Changed 14
  • Source Changed 11
  • Coverage Changed 13
Coverage ∆ File Lines Relevant Covered Missed Hits/Line
  • Back to Repo
  • Github Actions Build #29531355551
  • 29b8d00b on github
  • Prev Build on main (#29515847024)
  • Next Build on main (#29561795366)
STATUS · Troubleshooting · Open an Issue · Sales · Support · CAREERS · ENTERPRISE · START FREE · SCHEDULE DEMO
ANNOUNCEMENTS · TWITTER · TOS & SLA · Supported CI Services · What's a CI service? · Automated Testing

© 2026 Coveralls, Inc