Skip to content

security(tools): SSRF redirect chain defense (#857)#908

Merged
bug-ops merged 4 commits intomainfrom
feat/857-ssrf-defense
Feb 25, 2026
Merged

security(tools): SSRF redirect chain defense (#857)#908
bug-ops merged 4 commits intomainfrom
feat/857-ssrf-defense

Conversation

@bug-ops
Copy link
Owner

@bug-ops bug-ops commented Feb 25, 2026

Summary

Test plan

  • 20 new unit + wiremock integration tests in crates/zeph-tools/src/scrape.rs
    • Single redirect followed successfully
    • Chain of 3 hops allowed, 4th hop rejected with "too many redirects"
    • Redirect to private IP (10.x, 192.168.x, 127.x, ::1) blocked via validate_url
    • Redirect to http:// scheme blocked
    • Redirect to .internal / .local domain blocked
    • Missing Location header → error
    • Non-2xx status → error
    • Body exceeding max_body_bytes → error
  • cargo nextest run -p zeph-tools → 510/510 passed
  • cargo clippy --workspace -- -D warnings → clean
  • cargo +nightly fmt --check → clean

@bug-ops
security(tools): validate SSRF redirect targets against private IPs (#…
13b04fb 
…871)

Replace reqwest auto-redirect policy with manual redirect following in
WebScrapeExecutor. Each redirect Location is passed through validate_url
and resolve_and_validate before following, blocking private/internal IP
targets. Closes #871, closes #857.
@bug-ops
test(tools): add redirect chain SSRF coverage with wiremock integrati…
2d22688 
…on tests

Add 20 tests covering manual redirect following in WebScrapeExecutor:
unit tests for hop counting, missing Location, status errors, URL
resolution, and validate_url guards on each redirect target; wiremock
integration tests exercising 1-hop, 3-hop allowed, 4-hop rejected, no
Location, oversized body, and non-2xx status against a real HTTP server.

docs: update security.md, tools.md, zeph-tools/README.md and root
README with SSRF redirect chain defense documentation.
@github-actions github-actions bot added size/XL documentation Improvements or additions to documentation rust dependencies labels Feb 25, 2026
@bug-ops bug-ops enabled auto-merge (squash) February 25, 2026 20:26
@bug-ops bug-ops merged commit 3c599ba into main Feb 25, 2026
28 checks passed
@bug-ops bug-ops deleted the feat/857-ssrf-defense branch February 25, 2026 20:35
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

dependencies documentation Improvements or additions to documentation rust size/XL

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Web scraper SSRF: redirect targets not validated against private IPs Epic: SSRF defense completeness

1 participant

@bug-ops