Fix: Fix DNS Rebinding/TOCTOU Vulernability #5653
Conversation
Part of advisory https://github.com/FlowiseAI/Flowise/security/advisories/GHSA-2x8m-83vc-6wv4 Ensures that the validated host/ip is the same one used when resolving later on. Refactoring methods secureFetch and secureAxiosRequest to use resolver helper methods
Summary of ChangesHello @christopherholland-workday, I'm Gemini Code Assist1! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed! This pull request addresses critical Server-Side Request Forgery (SSRF) bypass vulnerabilities by implementing robust security measures for outbound HTTP requests. It focuses on eliminating DNS rebinding (TOCTOU) issues, enforcing deny-list validation at the point of connection, and securing redirect handling. The changes ensure that all requests utilize DNS-pinned connections that match validated IP addresses, thereby removing insecure default behaviors and significantly strengthening the application's defense against network-based attacks. Highlights
Using Gemini Code AssistThe full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips. Invoking Gemini You can request assistance from Gemini at any point by creating a comment using either
Customization To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a Limitations & Feedback Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for Github and other Google products, sign up here. You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension. Footnotes
|
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
![gemini-code-assist[bot]](https://avatars.githubusercontent.com/in/956858?s=60&v=4){kind=small}
There was a problem hiding this comment.
Code Review
This pull request effectively addresses a critical DNS Rebinding (TOCTOU) vulnerability in secureAxiosRequest and secureFetch by implementing DNS pinning. The changes ensure that outbound requests connect to the same IP that was validated, even across redirects. I also appreciate the move to a secure-by-default configuration that requires HTTP_DENY_LIST to be set. The code is much cleaner and more secure. I have a few minor suggestions to improve code consistency and clarity.
Co-authored-by: gemini-code-assist[bot] <176961590+gemini-code-assist[bot]@users.noreply.github.com>
Co-authored-by: gemini-code-assist[bot] <176961590+gemini-code-assist[bot]@users.noreply.github.com>
Co-authored-by: gemini-code-assist[bot] <176961590+gemini-code-assist[bot]@users.noreply.github.com>
…/Flowise into feature/fix-toctou-bug
| const resolved = await resolveAndValidate(currentUrl) | ||
| const agent = createPinnedAgent(resolved) | ||
|
|
||
| const response = await fetch(currentUrl, { ...currentInit, agent: () => agent }) |
Check failure
Code scanning / CodeQL
Server-side request forgery Critical
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI about 12 hours ago
General strategy: ensure that user-controlled URLs cannot resolve to internal or loopback IP ranges, even if HTTP_DENY_LIST is unset or misconfigured. The existing mechanism (checkDenyList + isDeniedIP) is already the central guard used both at the service boundary and inside redirect-aware helpers (secureFetch, secureAxiosRequest). The best fix is to make checkDenyList always enforce a baseline deny-list of private/loopback ranges (RFC1918, loopback, link‑local, etc.) in addition to any values provided via HTTP_DENY_LIST. This keeps the flow unchanged (req.query.url → service → webCrawl/xmlScrape → secureFetch), but makes the guard robust enough that the tainted URL cannot reach sensitive internal destinations.
Concretely, in packages/components/src/httpSecurity.ts:
- Update
checkDenyListso that it no longer early‑returns whenHTTP_DENY_LISTis undefined or empty; instead, it always builds an effective deny-list composed of a default list of dangerous IP ranges plus any extra entries fromHTTP_DENY_LIST. - The default deny-list should include at least:
127.0.0.0/8(loopback)10.0.0.0/8172.16.0.0/12192.168.0.0/16169.254.0.0/16(link‑local)::1/128(IPv6 loopback)fc00::/7(IPv6 unique local)fe80::/10(IPv6 link‑local)
- Keep the rest of
checkDenyListlogic (hostname resolution and calls toisDeniedIP) unchanged, just feed it the combined deny-list instead of one derived solely from the environment.
These changes are confined to packages/components/src/httpSecurity.ts. No new imports are required and no callers need to change, so existing functionality (including the ability to add more blocked ranges via HTTP_DENY_LIST) remains, with stronger default protections that directly address the SSRF concern.
| @@ -34,14 +34,32 @@ | ||
|
|
||
| /** | ||
| * Checks if a URL is allowed based on HTTP_DENY_LIST environment variable | ||
| * and a built-in deny list of private/loopback address ranges. | ||
| * @param url - URL to check | ||
| * @throws Error if URL hostname resolves to a denied IP | ||
| */ | ||
| export async function checkDenyList(url: string): Promise<void> { | ||
| const httpDenyListString: string | undefined = process.env.HTTP_DENY_LIST | ||
| if (!httpDenyListString) return | ||
|
|
||
| const httpDenyList = httpDenyListString.split(',').map((ip) => ip.trim()) | ||
| // Built-in deny list to protect against SSRF to internal networks, | ||
| // even if HTTP_DENY_LIST is not configured. | ||
| const defaultDenyList: string[] = [ | ||
| '127.0.0.0/8', // IPv4 loopback | ||
| '10.0.0.0/8', // IPv4 private | ||
| '172.16.0.0/12', // IPv4 private | ||
| '192.168.0.0/16', // IPv4 private | ||
| '169.254.0.0/16', // IPv4 link-local | ||
| '::1/128', // IPv6 loopback | ||
| 'fc00::/7', // IPv6 unique local | ||
| 'fe80::/10' // IPv6 link-local | ||
| ] | ||
|
|
||
| const envDenyList: string[] = httpDenyListString | ||
| ? httpDenyListString.split(',').map((ip) => ip.trim()).filter((ip) => ip.length > 0) | ||
| : [] | ||
|
|
||
| const httpDenyList: string[] = [...defaultDenyList, ...envDenyList] | ||
|
|
||
| const urlObj = new URL(url) | ||
| const hostname = urlObj.hostname | ||
|
|
There was a problem hiding this comment.
This is by design/an artifact from a previous commit: https://github.com/FlowiseAI/Flowise/blob/main/packages/components/src/httpSecurity.ts#L178
Will check with the team if there are other actions required to fix this
| } | ||
|
|
||
| async function resolveAndValidate(url: string): Promise<ResolvedTarget> { | ||
| const denyListString = process.env.HTTP_DENY_LIST |
There was a problem hiding this comment.
By forcing every users to specify HTTP_DENY_LIST, its not user/begineer friendly.
The decision we took is to allow users to have the option to specify if needed, otherwise its not blocking by default. Its not secured by default. We have also documented here
Overview
Part of advisory https://github.com/FlowiseAI/Flowise/security/advisories/GHSA-2x8m-83vc-6wv4
This PR fixes multiple SSRF bypass issues in the HTTP security wrappers by eliminating DNS rebinding (TOCTOU) vulnerabilities and enforcing deny-list validation at request time.
The changes ensure that every outbound HTTP request uses a DNS-pinned connection that matches the validated IP, including across redirects, and that insecure default behavior is removed.
Solution
1. Default insecure configuration
Previously, if
HTTP_DENY_LISTwas unset, requests were allowed without restriction, including access tolocalhostand private IP ranges.Fix:
Requests now fail fast when
HTTP_DENY_LISTis not defined, ensuring SSRF protections are always enforced.DNS rebinding (TOCTOU) vulnerability
The previous implementation validated hostnames using dns.lookup, but the HTTP client would perform a second DNS resolution when opening the socket. This allowed attackers to return a safe IP during validation and switch to a blocked IP during connection. This seemed to be the case for both the
secureFetchandsecureAxiosRequestmethods.Callers of these methods, like
utils#crawlshould be protected via strengthening of these methodsFix:
DNS resolution and validation now occur immediately before each request, and the resolved IP is pinned into the socket using a custom http.Agent / https.Agent. This guarantees the request connects to the same IP that was validated.
Redirect safety
Redirects were previously followed automatically by the HTTP client, allowing bypass of validation on redirected URLs.
Fix:
Automatic redirects are disabled. Each redirect target is:
Redirect method rewriting (e.g. POST → GET on 303) follows HTTP specifications.
node-fetch agent handling
When using [email protected], passing an Agent instance directly may not guarantee it is used, potentially allowing DNS re-resolution.
Fix:
The agent is now passed as a function (agent: () => agent), which node-fetch v2 reliably invokes, ensuring the pinned agent is always used.