fix(security): block private-network web_search citation redirects

2026-05-10 19:34:59 +00:00 · 2026-03-02 01:05:05 +00:00
parent e1a9ba8400
commit 085c23ce5a
4 changed files with 3 additions and 3 deletions
--- a/src/agents/tools/web-search.redirect.test.ts
+++ b/src/agents/tools/web-search.redirect.test.ts
@@ -32,10 +32,10 @@ describe("web_search redirect resolution hardening", () => {
        url: "https://example.com/start",
        timeoutMs: 5000,
        init: { method: "HEAD" },
-        policy: { dangerouslyAllowPrivateNetwork: true },
        proxy: "env",
      }),
    );
+    expect(fetchWithSsrFGuardMock.mock.calls[0]?.[0]?.policy).toBeUndefined();
    expect(release).toHaveBeenCalledTimes(1);
  });

--- a/src/agents/tools/web-search.ts
+++ b/src/agents/tools/web-search.ts
@@ -721,7 +721,6 @@ async function resolveRedirectUrl(url: string): Promise<string> {
        url,
        init: { method: "HEAD" },
        timeoutMs: REDIRECT_TIMEOUT_MS,
-        policy: WEB_TOOLS_TRUSTED_NETWORK_SSRF_POLICY,
      },
      async ({ finalUrl }) => finalUrl || url,
    );