fix(security): restrict tool gatewayUrl overrides

2026-05-09 04:57:40 +00:00 · 2026-02-14 21:36:02 +01:00
parent 07850e8a93
commit 2d5647a804
4 changed files with 95 additions and 7 deletions
--- a/src/agents/tools/gateway.e2e.test.ts
+++ b/src/agents/tools/gateway.e2e.test.ts
@@ -2,6 +2,10 @@ import { beforeEach, describe, expect, it, vi } from "vitest";
 import { callGatewayTool, resolveGatewayOptions } from "./gateway.js";

 const callGatewayMock = vi.fn();
+vi.mock("../../config/config.js", () => ({
+  loadConfig: () => ({}),
+  resolveGatewayPort: () => 18789,
+}));
 vi.mock("../../gateway/call.js", () => ({
  callGateway: (...args: unknown[]) => callGatewayMock(...args),
 }));
@@ -20,15 +24,24 @@ describe("gateway tool defaults", () => {
    callGatewayMock.mockResolvedValueOnce({ ok: true });
    await callGatewayTool(
      "health",
-      { gatewayUrl: "ws://example", gatewayToken: "t", timeoutMs: 5000 },
+      { gatewayUrl: "ws://127.0.0.1:18789", gatewayToken: "t", timeoutMs: 5000 },
      {},
    );
    expect(callGatewayMock).toHaveBeenCalledWith(
      expect.objectContaining({
-        url: "ws://example",
+        url: "ws://127.0.0.1:18789",
        token: "t",
        timeoutMs: 5000,
      }),
    );
  });
+
+  it("rejects non-allowlisted overrides (SSRF hardening)", async () => {
+    await expect(
+      callGatewayTool("health", { gatewayUrl: "ws://127.0.0.1:8080", gatewayToken: "t" }, {}),
+    ).rejects.toThrow(/gatewayUrl override blocked/i);
+    await expect(
+      callGatewayTool("health", { gatewayUrl: "ws://169.254.169.254", gatewayToken: "t" }, {}),
+    ).rejects.toThrow(/gatewayUrl override blocked/i);
+  });
 });