feat(backend): Remediate ADA-KUBEFL-01: Server-Side Request Forgery

[JerT33]

Description of your changes:

Background

Fixes SSRF vulnerability (ADA-KUBEFL-01) in CreatePipelineV1/V2 APIs where user-provided URLs are fetched without destination validation

Recommended remediation
Restrict where the backend will fetch from and validate the final destination:
• Replace arbitrary URLs with file uploads or server-generated pre-signed URLs for controlled object storage.
• If URLs must remain, enforce an allow-list of trusted domains; block private/loopback/link-local/metadata IP ranges
after DNS resolution and on every redirect; restrict schemes/ports (prefer https:// on standard ports); and use tight
timeouts.

To avoid disruption of any current users who rely on URLs for pipeline upload functionality, the following remediations have been completed:

• Domain allow-list
• Block private/loopback/link-local/metadata IP ranges
• DNS resolution before request
• Validation on every redirect
• Restrict schemes
• Restrict ports
• Request timeout

Logic:

Validate Pipeline URL:

1. Scheme check
   • https required by default
   • user controlled http allowance
2. Port check
   • https restricted to port 443
   • http restricted to port 80
3. DNS allow-list check
   • validate DNS against a preset list of common DNS
     • github
     • aws s3
     • google cloud storage
   • user controlled additional allowed DNS
4. DNS resolution
5. IP check
   • validate against a preset non-configurable blacklist of CIDR ranges
     • private
     • loopback
     • link-local
     • metadata
     • invalid

SafePipelineHTTPClient:

• Implement timeouts
  • defaults to 30 seconds
  • user controlled override
• Restrict redirects
  • maximum of 10
  • validate pipeline url on every redirect

General:

• Prevent XSS attacks by returning generic error messages, but log full error report

User-configurable options:

• PIPELINE_URL_ALLOWED_DOMAINS: extend the default domain allow-list
• PIPELINE_URL_ALLOW_HTTP: allow HTTP URLs (default false)
• PIPELINE_URL_TIMEOUT: configure request timeout in seconds (default 30)
• PIPELINE_URL_VALIDATION_ENABLED: toggle pipeline url validation - for testing purposes (default true)

Live Cluster Testing Evidence

Before:

After

(no additional URL fetch from latest test)

Checklist:

• You have signed off your commits
• The title for your pull request (PR) should follow our title convention. Learn more about the pull request title convention used in this repository.

[google-oss-prow]

Skipping CI for Draft Pull Request.
If you want CI signal for your change, please convert it to an actual PR.
You can still manually trigger a test run with /test all

[google-oss-prow]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by:
Once this PR has been reviewed and has the lgtm label, please assign hbelmiro for approval. For more information see the Kubernetes Code Review Process.

The full list of commands accepted by this bot can be found here.

Details

Needs approval from an approver in each of these files:

• backend/OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment