fix: add security validation and enhanced error handling for reranker

- Enforce HTTPS for non-localhost URLs to protect API key transmission
- Add custom Zod validation for URL scheme security in UI
- Include comprehensive tests for URL validation logic
- Add missing translation key for HTTPS requirement error
- Enhance Chinese translations for validation messages
- Fix IPv6 localhost handling for [::1] addresses

This commit builds on the CI fixes from PR RooCodeInc#6621 by roomote bot
and adds the security enhancements requested in the PR review.

Co-authored-by: roomote[bot] <roomote[bot]@users.noreply.github.com>

Author: 2 people

src/services/code-index/rerankers/local.ts

@@ -22,6 +22,19 @@ export class LocalReranker extends BaseReranker {
 			throw new Error("Local reranker requires an API key")
 		}
 
+		// Validate URL scheme for security
+		const url = new URL(config.url)
+		const isLocalhost =
+			url.hostname === "localhost" ||
+			url.hostname === "127.0.0.1" ||
+			url.hostname === "[::1]" || // IPv6 localhost with brackets
+			url.hostname === "::1" // IPv6 localhost without brackets
+
+		// Require HTTPS for non-localhost URLs to protect API key transmission
+		if (!isLocalhost && url.protocol !== "https:") {
+			throw new Error("Reranker URL must use HTTPS for secure API key transmission (exception: localhost)")
+		}
+
 		this.baseUrl = config.url.replace(/\/$/, "") // Remove trailing slash
 		this.apiKey = config.apiKey
 		this.model = config.model

src/tests/services/code-index/rerankers/local.test.ts

@@ -62,6 +62,43 @@ describe("LocalReranker", () => {
 			expect(() => new LocalReranker(invalidConfig)).toThrow("Local reranker requires an API key")
 		})
 
+		it("should throw error when non-localhost URL uses HTTP", () => {
+			const insecureConfig = { ...mockConfig, url: "http://example.com" }
+
+			expect(() => new LocalReranker(insecureConfig)).toThrow(
+				"Reranker URL must use HTTPS for secure API key transmission (exception: localhost)",
+			)
+		})
+
+		it("should allow HTTP for localhost URLs", () => {
+			const mockAxiosCreate = vi.fn().mockReturnValue({})
+			;(axios.create as any) = mockAxiosCreate
+
+			const localhostConfigs = [
+				{ ...mockConfig, url: "http://localhost:8080" },
+				{ ...mockConfig, url: "http://127.0.0.1:8080" },
+				{ ...mockConfig, url: "http://[::1]:8080" },
+			]
+
+			localhostConfigs.forEach((config) => {
+				expect(() => new LocalReranker(config)).not.toThrow()
+			})
+		})
+
+		it("should allow HTTPS for any URL", () => {
+			const mockAxiosCreate = vi.fn().mockReturnValue({})
+			;(axios.create as any) = mockAxiosCreate
+
+			const httpsConfig = { ...mockConfig, url: "https://api.example.com" }
+
+			expect(() => new LocalReranker(httpsConfig)).not.toThrow()
+			expect(mockAxiosCreate).toHaveBeenCalledWith(
+				expect.objectContaining({
+					baseURL: "https://api.example.com",
+				}),
+			)
+		})
+
 		it("should remove trailing slash from url", () => {
 			const mockAxiosCreate = vi.fn().mockReturnValue({})
 			;(axios.create as any) = mockAxiosCreate

webview-ui/src/components/chat/CodeIndexPopover.tsx

@@ -110,7 +110,25 @@ const createValidationSchema = (
 					codebaseIndexRerankerUrl: z
 						.string()
 						.min(1, t("settings:codeIndex.validation.rerankerUrlRequired"))
-						.url(t("settings:codeIndex.validation.invalidRerankerUrl")),
+						.url(t("settings:codeIndex.validation.invalidRerankerUrl"))
+						.refine((url) => {
+							try {
+								const parsedUrl = new URL(url)
+								const isLocalhost =
+									parsedUrl.hostname === "localhost" ||
+									parsedUrl.hostname === "127.0.0.1" ||
+									parsedUrl.hostname === "[::1]" || // IPv6 localhost with brackets
+									parsedUrl.hostname === "::1" // IPv6 localhost without brackets
+
+								// Require HTTPS for non-localhost URLs
+								if (!isLocalhost && parsedUrl.protocol !== "https:") {
+									return false
+								}
+								return true
+							} catch {
+								return false
+							}
+						}, t("settings:codeIndex.validation.rerankerUrlMustBeHttps")),
 					codebaseIndexRerankerModel: z
 						.string()
 						.min(1, t("settings:codeIndex.validation.rerankerModelRequired")),
@@ -255,7 +273,8 @@ export const CodeIndexPopover: React.FC<CodeIndexPopoverProps> = ({
 				codebaseIndexSearchMinScore:
 					codebaseIndexConfig.codebaseIndexSearchMinScore ?? CODEBASE_INDEX_DEFAULTS.DEFAULT_SEARCH_MIN_SCORE,
 				codebaseIndexRerankerEnabled: codebaseIndexConfig.codebaseIndexRerankerEnabled ?? false,
-				codebaseIndexRerankerProvider: codebaseIndexConfig.codebaseIndexRerankerProvider === "local" ? "local" as const : undefined,
+				codebaseIndexRerankerProvider:
+					codebaseIndexConfig.codebaseIndexRerankerProvider === "local" ? ("local" as const) : undefined,
 				codebaseIndexRerankerUrl: codebaseIndexConfig.codebaseIndexRerankerUrl || "",
 				codebaseIndexRerankerModel: codebaseIndexConfig.codebaseIndexRerankerModel || "ms-marco-MiniLM-L-6-v2",
 				codebaseIndexRerankerTopN: codebaseIndexConfig.codebaseIndexRerankerTopN ?? 100,

webview-ui/src/i18n/locales/en/settings.json

@@ -126,7 +126,8 @@
 			"invalidRerankerUrl": "Please enter a valid URL for the reranker service",
 			"rerankerUrlRequired": "Reranker URL is required when using local provider",
 			"rerankerApiKeyRequired": "API key is required for this reranker provider",
-			"rerankerModelRequired": "Reranker model is required"
+			"rerankerModelRequired": "Reranker model is required",
+			"rerankerUrlMustBeHttps": "Reranker URL must use HTTPS for secure API key transmission (exception: localhost)"
 		},
 		"rerankerConfigLabel": "Search Enhancement (Reranking)",
 		"newFeatureBadge": "New",