Skip to content

Add SSRF protection to RemoteURL validation#4697

Merged
JAORMX merged 1 commit intomainfrom
worktree-issue-4695
Apr 9, 2026
Merged

Add SSRF protection to RemoteURL validation#4697
JAORMX merged 1 commit intomainfrom
worktree-issue-4695

Conversation

@JAORMX
Copy link
Copy Markdown
Collaborator

@JAORMX JAORMX commented Apr 9, 2026

Summary

Cloud metadata, loopback, and private-range URLs in RemoteURL fields could
become SSRF vectors if any downstream component fetches them in-cluster. The
existing validation only checked the URL scheme (^https?://), leaving
internal endpoints wide open.

This extends ValidateRemoteURL to reject well-known internal and metadata
endpoints, and wires that validation into the MCPServerEntry controller (which
previously had no URL validation at all).

Closes #4695

Type of change

  • New feature

Test plan

  • Unit tests (task test)
  • Linting (task lint-fix)

Changes

File Change
cmd/thv-operator/pkg/validation/url_validation.go Add SSRF checks: blocked CIDR ranges (loopback, link-local, RFC 1918, ULA, unspecified), blocked hostnames (localhost, K8s internal, GCP metadata, cluster.local), IPv4-mapped IPv6 normalization
cmd/thv-operator/pkg/validation/url_validation_test.go 26 new test cases for all blocked ranges, bypass prevention, and edge cases
cmd/thv-operator/api/v1alpha1/mcpserverentry_types.go Add RemoteURLValidated condition type and reason constants
cmd/thv-operator/controllers/mcpserverentry_controller.go Add validateRemoteURL step to reconciler with status condition reporting
cmd/thv-operator/controllers/mcpserverentry_controller_test.go 3 new controller test cases for SSRF rejection

Special notes for reviewers

  • IPv4-mapped IPv6 bypass: ::ffff:127.0.0.1 is normalized via To4() before CIDR matching so it correctly hits IPv4 blocklists.
  • No DNS resolution by design: Only literal IPs and known hostnames are checked. An attacker-controlled domain pointing to 169.254.169.254 would bypass this. This is acceptable for admission-time validation; runtime fetch guards would need separate DNS-aware checks.
  • MCPRemoteProxy already calls ValidateRemoteURL at mcpremoteproxy_controller.go:369, so it gets the SSRF protection automatically with no code change.
  • Follow-up: ValidateJWKSURL should get the same validateHostNotInternal check (separate issue, different SSRF surface).

Generated with Claude Code

@JAORMX @claude
Add SSRF protection to RemoteURL validation
933ae9d 
ValidateRemoteURL now rejects URLs targeting internal and metadata
endpoints to prevent SSRF vectors when downstream components fetch
user-supplied URLs in-cluster.

Blocked ranges: loopback (127.0.0.0/8, ::1), link-local/cloud
metadata (169.254.0.0/16), RFC 1918 private (10/8, 172.16/12,
192.168/16), IPv6 ULA (fc00::/7), and the unspecified address
(0.0.0.0/8, ::). IPv4-mapped IPv6 addresses (::ffff:127.0.0.1) are
normalized to prevent bypass.

Blocked hostnames: localhost, kubernetes.default.svc(.cluster.local),
cluster.local, metadata.google.internal (with subdomain matching).

The MCPServerEntry controller now calls ValidateRemoteURL and reports
results through a RemoteURLValidated status condition, consistent with
the existing MCPRemoteProxy controller pattern.

Closes #4695

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
@github-actions github-actions bot added the size/M Medium PR: 300-599 lines changed label Apr 9, 2026
@codecov
Copy link
Copy Markdown

codecov bot commented Apr 9, 2026
edited
Loading

Codecov Report

❌ Patch coverage is 96.29630% with 2 lines in your changes missing coverage. Please review.
✅ Project coverage is 68.64%. Comparing base (b542727) to head (933ae9d).
⚠️ Report is 3 commits behind head on main.

Files with missing lines Patch % Lines
cmd/thv-operator/pkg/validation/url_validation.go 94.28% 1 Missing and 1 partial ⚠️
Additional details and impacted files 
@@            Coverage Diff             @@
##             main    #4697      +/-   ##
==========================================
+ Coverage   68.60%   68.64%   +0.03%     
==========================================
  Files         515      515              
  Lines       53518    53572      +54     
==========================================
+ Hits        36718    36772      +54     
  Misses      13958    13958              
  Partials     2842     2842

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

@JAORMX JAORMX merged commit 55d82f5 into main Apr 9, 2026
40 checks passed
@JAORMX JAORMX deleted the worktree-issue-4695 branch April 9, 2026 11:12
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@ChrisJBurns ChrisJBurns ChrisJBurns approved these changes

@yrobla yrobla Awaiting requested review from yrobla yrobla is a code owner

@jerm-dro jerm-dro Awaiting requested review from jerm-dro jerm-dro is a code owner

@jhrozek jhrozek Awaiting requested review from jhrozek jhrozek is a code owner

Assignees

No one assigned

Labels

size/M Medium PR: 300-599 lines changed

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Add URL validation to reject internal/metadata endpoints in RemoteURL fields

2 participants

@JAORMX @ChrisJBurns