Skip to content

fix(sandbox): treat literal IP in policy host as implicit allowed_ips#570

Merged
johntmyers merged 1 commit intomainfrom
fix/implicit-allowed-ips-for-ip-host
Mar 24, 2026
Merged

fix(sandbox): treat literal IP in policy host as implicit allowed_ips#570
johntmyers merged 1 commit intomainfrom
fix/implicit-allowed-ips-for-ip-host

Conversation

@johntmyers
Copy link
Collaborator

@johntmyers johntmyers commented Mar 24, 2026

Summary

When a policy endpoint uses a literal IP address as the host (e.g. host: 192.168.86.157), the SSRF guard no longer requires a redundant allowed_ips entry. The user has already explicitly declared intent to allow that destination.

Related Issue

Refs #567

Changes

  • Add implicit_allowed_ips_for_ip_host helper that synthesizes an allowed_ips entry when the host parses as an IP address
  • Apply the implicit allowlist in both the CONNECT and FORWARD proxy paths, falling back to it when OPA returns no explicit allowed_ips
  • Loopback and link-local addresses remain blocked via resolve_and_check_allowed_ips
  • Add unit tests for the helper (IPv4, IPv6, hostname, wildcard cases)

Root Cause

The SSRF protection in the proxy rejects connections to RFC 1918 addresses unless allowed_ips is explicitly set on the endpoint. This makes sense for hostname-based endpoints (DNS rebinding risk), but is redundant when the policy host is already a literal IP — there is no DNS resolution to exploit and the user has explicitly declared the destination.

Users hitting this saw FORWARD blocked: internal IP without allowed_ips even though their policy clearly listed the IP address.

Testing

  • mise run pre-commit passes
  • Unit tests added for implicit_allowed_ips_for_ip_host
  • Full cargo test -p openshell-sandbox passes (313 tests)
  • End-to-end verified on local cluster: L4 policy with host: 192.168.x.x (no allowed_ips) now connects successfully

Checklist

  • Follows Conventional Commits
  • Commits are signed off (DCO)
  • Architecture docs updated (if applicable)

@johntmyers
fix(sandbox): treat literal IP in policy host as implicit allowed_ips
f42353a 
When a policy endpoint specifies a literal IP address as the host
(e.g. host: 192.168.86.157), the user has explicitly declared intent
to allow that destination. The SSRF guard requiring allowed_ips was
redundant for this case and forced users to duplicate the IP.

Synthesize an implicit allowed_ips entry when the host parses as an IP
address, so the existing allowlist-validation path is used instead of
the blanket internal-IP rejection. Loopback and link-local addresses
remain blocked by resolve_and_check_allowed_ips.

Applies to both the CONNECT and FORWARD proxy paths.

Refs: #567
@johntmyers johntmyers requested a review from a team as a code owner March 24, 2026 16:11
@johntmyers johntmyers self-assigned this Mar 24, 2026
This was referenced Mar 24, 2026
Closed
Merged
johntmyers added a commit that referenced this pull request Mar 24, 2026
@johntmyers
fix(e2e): revert FWD-2 to expect 403 without implicit allowed_ips fix
2df59b9 
The implicit allowed_ips fix is in PR #570, not this branch. FWD-2
must expect 403 until that fix is merged. The OVL-1 and OVL-2 tests
(overlapping policies) are independent and remain unchanged.
johntmyers added a commit that referenced this pull request Mar 24, 2026
@johntmyers
test(e2e): update SSRF-3 and SSRF-6 for implicit allowed_ips behavior
5996c22 
SSRF-6: Private IP with literal IP host now gets implicit allowed_ips
from PR #570, so CONNECT returns 200 instead of 403.

SSRF-3: Loopback is still blocked but via the always-blocked path
(implicit allowed_ips is synthesized, then resolve_and_check_allowed_ips
catches it). Log message says 'always-blocked' instead of 'internal
address'.
@johntmyers johntmyers merged commit 3f1917a into main Mar 24, 2026
10 checks passed
@johntmyers johntmyers deleted the fix/implicit-allowed-ips-for-ip-host branch March 24, 2026 20:17
johntmyers added a commit that referenced this pull request Mar 24, 2026
@johntmyers
test(e2e): update SSRF-3 and SSRF-6 for implicit allowed_ips behavior
c73845d 
SSRF-6: Private IP with literal IP host now gets implicit allowed_ips
from PR #570, so CONNECT returns 200 instead of 403.

SSRF-3: Loopback is still blocked but via the always-blocked path
(implicit allowed_ips is synthesized, then resolve_and_check_allowed_ips
catches it). Log message says 'always-blocked' instead of 'internal
address'.
johntmyers added a commit that referenced this pull request Mar 24, 2026
@johntmyers
fix(sandbox,server): fix chunk merge duplicates and OPA variable coll…
256f7fc 
…ision with overlapping policies (#571)

* fix(sandbox,server): fix chunk merge duplicates and OPA variable collision with overlapping policies

Two related bugs triggered when a draft rule approval creates a second
policy entry for the same host:port:

1. merge_chunk_into_policy looked up existing rules by chunk.rule_name
   (auto-generated as allow_{host}_{port}), which never matched the
   user's original rule name.  Now scans all network_policies entries
   for a host:port endpoint match before falling back to insertion,
   and merges allowed_ips into the existing endpoint.

2. The Rego allow_request rule and _matching_endpoint_configs
   comprehension used 'some ep; ep := policy.endpoints[_]' which
   caused regorus to error with 'duplicated definition of local
   variable ep' when multiple policies covered the same host:port.
   Refactored to isolate endpoint iteration inside helper functions
   (_policy_allows_l7, _policy_endpoint_configs) so variables are
   scoped per-policy evaluation.

Refs: #567

* test(e2e): add overlapping policy tests and update FWD-2 for implicit allowed_ips

- Update FWD-2 (test_forward_proxy_denied_without_allowed_ips ->
  test_forward_proxy_allows_private_ip_host_without_allowed_ips):
  literal IP host no longer requires explicit allowed_ips, expects 200.

- Add OVL-1: overlapping L4 policies for same host:port must not crash
  OPA and should allow forward proxy connections.

- Add OVL-2: overlapping L7 policies for same host:port must not crash
  OPA and should allow CONNECT tunnel establishment.

Refs: #567

* style: apply cargo fmt formatting

* test(e2e): update SSRF-3 and SSRF-6 for implicit allowed_ips behavior

SSRF-6: Private IP with literal IP host now gets implicit allowed_ips
from PR #570, so CONNECT returns 200 instead of 403.

SSRF-3: Loopback is still blocked but via the always-blocked path
(implicit allowed_ips is synthesized, then resolve_and_check_allowed_ips
catches it). Log message says 'always-blocked' instead of 'internal
address'.

* fix(e2e): use negative assertion for SSRF-6 when nothing listens on target port

When the SSRF check passes but nothing listens on the target port,
recv() returns empty bytes. Use 'assert 403 not in' (matching SSRF-4
pattern) instead of 'assert 200 in'.

* fix(e2e): update provider tests for redacted credential values

PR #569 changed credential redaction from clearing the map to
replacing values with 'REDACTED'. Update e2e assertions to expect
credential keys with REDACTED values instead of an empty map.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@drew drew drew approved these changes

Assignees

@johntmyers johntmyers

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@johntmyers @drew