feat: hardening de tools — deny-by-default, SSRF, path traversal, allowlists

Cambios de seguridad en las 4 herramientas de agentes: - tools/file: deny-by-default (AllowedPaths vacío = todo denegado), resolución de symlinks con EvalSymlinks, protección contra path traversal (../) y confusión de prefijos (/opt vs /opt1234) - tools/ssh: nuevo AllowedCommands allowlist (complementa ForbiddenCommands), validación de sintaxis shell (bloquea pipes, subshells, redirects, chains) - tools/http: protección SSRF bloqueando IPs privadas, loopback, link-local, metadata (169.254.169.254). Validación de dominio case-insensitive. - tools/matrix: nuevo parámetro AllowedRooms para restringir rooms destino - internal/config/schema: AllowedCommands en SSHToolCfg, MatrixToolCfg nueva - agents/runtime: pasa MatrixToolCfg al constructor de matrix_send Parte de issue 0019 (prompt injection hardening). Feature flag OFF. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-03-07 19:17:00 +00:00
parent 71a009f890
commit 4e7aa95adb
6 changed files with 195 additions and 21 deletions
@@ -4,6 +4,7 @@ import (
 	"context"
 	"fmt"
 	"io"
+	"net"
 	"net/http"
 	"net/url"
 	"strings"
@@ -14,7 +15,8 @@ import (
 )

 // NewHTTPGet creates an http_get tool that performs GET requests.
-// Validates URLs against cfg.AllowedDomains when non-empty.
+// Validates URLs against cfg.AllowedDomains (deny-by-default if non-empty)
+// and blocks requests to internal/private IP ranges (SSRF protection).
 func NewHTTPGet(cfg config.HTTPToolCfg) tools.Tool {
 	timeout := cfg.Timeout
 	if timeout == 0 {
@@ -35,8 +37,8 @@ func NewHTTPGet(cfg config.HTTPToolCfg) tools.Tool {
 			if rawURL == "" {
 				return tools.Result{Err: fmt.Errorf("http_get: url is required")}
 			}
-			if err := validateDomain(rawURL, cfg.AllowedDomains); err != nil {
-				return tools.Result{Err: err}
+			if err := validateURL(rawURL, cfg.AllowedDomains); err != nil {
+				return tools.Result{Err: fmt.Errorf("http_get: %w", err)}
 			}

 			req, err := http.NewRequestWithContext(ctx, http.MethodGet, rawURL, nil)
@@ -61,7 +63,7 @@ func NewHTTPGet(cfg config.HTTPToolCfg) tools.Tool {
 }

 // NewHTTPPost creates an http_post tool that performs POST requests with a JSON body.
-// Validates URLs against cfg.AllowedDomains when non-empty.
+// Validates URLs against cfg.AllowedDomains and blocks internal IPs.
 func NewHTTPPost(cfg config.HTTPToolCfg) tools.Tool {
 	timeout := cfg.Timeout
 	if timeout == 0 {
@@ -87,8 +89,8 @@ func NewHTTPPost(cfg config.HTTPToolCfg) tools.Tool {
 			if bodyStr == "" {
 				return tools.Result{Err: fmt.Errorf("http_post: body is required")}
 			}
-			if err := validateDomain(rawURL, cfg.AllowedDomains); err != nil {
-				return tools.Result{Err: err}
+			if err := validateURL(rawURL, cfg.AllowedDomains); err != nil {
+				return tools.Result{Err: fmt.Errorf("http_post: %w", err)}
 			}

 			req, err := http.NewRequestWithContext(ctx, http.MethodPost, rawURL, strings.NewReader(bodyStr))
@@ -113,21 +115,84 @@ func NewHTTPPost(cfg config.HTTPToolCfg) tools.Tool {
 	}
 }

-// validateDomain checks that the URL's host is in the allowed list.
-// If allowedDomains is empty, all domains are allowed.
-func validateDomain(rawURL string, allowedDomains []string) error {
-	if len(allowedDomains) == 0 {
-		return nil
-	}
+// validateURL checks domain allowlist and blocks internal IPs (SSRF protection).
+func validateURL(rawURL string, allowedDomains []string) error {
 	u, err := url.Parse(rawURL)
 	if err != nil {
 		return fmt.Errorf("invalid url: %w", err)
 	}
+
 	host := u.Hostname()
+	if host == "" {
+		return fmt.Errorf("url has no host")
+	}
+
+	// SSRF protection: block internal/private IPs and localhost.
+	if err := rejectInternalHost(host); err != nil {
+		return err
+	}
+
+	// Domain allowlist (if configured).
+	if err := validateDomain(host, allowedDomains); err != nil {
+		return err
+	}
+
+	return nil
+}
+
+// validateDomain checks that the host is in the allowed list.
+// If allowedDomains is empty, all domains are allowed.
+func validateDomain(host string, allowedDomains []string) error {
+	if len(allowedDomains) == 0 {
+		return nil
+	}
+	lower := strings.ToLower(host)
 	for _, d := range allowedDomains {
-		if host == d {
+		if lower == strings.ToLower(d) {
 			return nil
 		}
 	}
 	return fmt.Errorf("domain %q not in allowed list", host)
 }
+
+// rejectInternalHost blocks requests to localhost, private IPs, and link-local addresses.
+func rejectInternalHost(host string) error {
+	lower := strings.ToLower(host)
+	if lower == "localhost" {
+		return fmt.Errorf("requests to localhost are blocked")
+	}
+
+	ip := net.ParseIP(host)
+	if ip == nil {
+		// Not an IP literal — could be a domain. Resolve it.
+		ips, err := net.LookupIP(host)
+		if err != nil {
+			return nil // let the HTTP client handle DNS errors
+		}
+		for _, resolved := range ips {
+			if isPrivateIP(resolved) {
+				return fmt.Errorf("domain %q resolves to private IP %s", host, resolved)
+			}
+		}
+		return nil
+	}
+
+	if isPrivateIP(ip) {
+		return fmt.Errorf("requests to private IP %s are blocked", ip)
+	}
+	return nil
+}
+
+// isPrivateIP returns true for loopback, private, link-local, and metadata IPs.
+func isPrivateIP(ip net.IP) bool {
+	return ip.IsLoopback() ||
+		ip.IsPrivate() ||
+		ip.IsLinkLocalUnicast() ||
+		ip.IsLinkLocalMulticast() ||
+		isMetadataIP(ip)
+}
+
+// isMetadataIP checks for cloud metadata service IPs (169.254.169.254).
+func isMetadataIP(ip net.IP) bool {
+	return ip.Equal(net.ParseIP("169.254.169.254"))
+}