security: validate CDP URLs to prevent SSRF (V-010, CVSS 8.4)

Add URL validation before fetching Chrome DevTools Protocol endpoints. Only allows localhost and private network addresses. Changes: - tools/browser_tool.py: Add hostname validation in _resolve_cdp_override() - Block external URLs to prevent SSRF attacks - Log security errors for rejected URLs CVSS: 8.4 (High) Refs: V-010 in SECURITY_AUDIT_REPORT.md CWE-918: Server-Side Request Forgery
Merge pull request '[SECURITY] Block Dangerous Docker Volume Mounts (V-012, CVSS 8.7)' (#64 ) from security/fix-docker-privilege into main
2026-03-30 23:57:22 +00:00 · 2026-03-30 23:55:50 +00:00 · 2026-03-30 23:55:45 +00:00 · 2026-03-30 23:55:04 +00:00
2 changed files with 61 additions and 0 deletions
--- a/tools/browser_tool.py
+++ b/tools/browser_tool.py
@@ -170,6 +170,9 @@ def _resolve_cdp_override(cdp_url: str) -> str:
    For discovery-style endpoints we fetch /json/version and return the
    webSocketDebuggerUrl so downstream tools always receive a concrete browser
    websocket instead of an ambiguous host:port URL.
    SECURITY FIX (V-010): Validates URLs before fetching to prevent SSRF.
    Only allows localhost/private network addresses for CDP connections.
    """
    raw = (cdp_url or "").strip()
    if not raw:
@@ -191,6 +194,35 @@ def _resolve_cdp_override(cdp_url: str) -> str:
    else:
        version_url = discovery_url.rstrip("/") + "/json/version"
    # SECURITY FIX (V-010): Validate URL before fetching
    # Only allow localhost and private networks for CDP
    from urllib.parse import urlparse
    parsed = urlparse(version_url)
    hostname = parsed.hostname or ""
    # Allow only safe hostnames for CDP
    allowed_hostnames = ["localhost", "127.0.0.1", "0.0.0.0", "::1"]
    if hostname not in allowed_hostnames:
        # Check if it's a private IP
        try:
            import ipaddress
            ip = ipaddress.ip_address(hostname)
            if not (ip.is_private or ip.is_loopback):
                logger.error(
                    "SECURITY: Rejecting CDP URL '%s' - only localhost and private "
                    "networks are allowed to prevent SSRF attacks.",
                    raw
                )
                return raw  # Return original without fetching
        except ValueError:
            # Not an IP - reject unknown hostnames
            logger.error(
                "SECURITY: Rejecting CDP URL '%s' - unknown hostname '%s'. "
                "Only localhost and private IPs are allowed.",
                raw, hostname
            )
            return raw
    try:
        response = requests.get(version_url, timeout=10)
        response.raise_for_status()
--- a/tools/environments/docker.py
+++ b/tools/environments/docker.py
@@ -253,6 +253,26 @@ class DockerEnvironment(BaseEnvironment):
        # mode uses tmpfs (ephemeral, fast, gone on cleanup).
        from tools.environments.base import get_sandbox_dir
        # SECURITY FIX (V-012): Block dangerous volume mounts
        # Prevent privilege escalation via Docker socket or sensitive paths
        _BLOCKED_VOLUME_PATTERNS = [
            "/var/run/docker.sock",
            "/run/docker.sock",
            "/var/run/docker.pid",
            "/proc", "/sys", "/dev",
            ":/",  # Root filesystem mount
        ]
        def _is_dangerous_volume(vol_spec: str) -> bool:
            """Check if volume spec is dangerous (docker socket, root fs, etc)."""
            for pattern in _BLOCKED_VOLUME_PATTERNS:
                if pattern in vol_spec:
                    return True
            # Check for docker socket variations
            if "docker.sock" in vol_spec.lower():
                return True
            return False
        # User-configured volume mounts (from config.yaml docker_volumes)
        volume_args = []
        workspace_explicitly_mounted = False
@@ -263,6 +283,15 @@ class DockerEnvironment(BaseEnvironment):
            vol = vol.strip()
            if not vol:
                continue
            # SECURITY FIX (V-012): Block dangerous volumes
            if _is_dangerous_volume(vol):
                logger.error(
                    f"SECURITY: Refusing to mount dangerous volume '{vol}'. "
                    f"Docker socket and system paths are blocked to prevent container escape."
                )
                continue  # Skip this dangerous volume
            if ":" in vol:
                volume_args.extend(["-v", vol])
                if ":/workspace" in vol:
Author	SHA1	Message	Date
Allegro	cfaf6c827e	security: validate CDP URLs to prevent SSRF (V-010, CVSS 8.4) Some checks failed Supply Chain Audit / Scan PR for supply chain risks (pull_request) Successful in 27s Details Tests / test (pull_request) Failing after 25s Details Docker Build and Publish / build-and-push (pull_request) Failing after 37s Details Add URL validation before fetching Chrome DevTools Protocol endpoints. Only allows localhost and private network addresses. Changes: - tools/browser_tool.py: Add hostname validation in _resolve_cdp_override() - Block external URLs to prevent SSRF attacks - Log security errors for rejected URLs CVSS: 8.4 (High) Refs: V-010 in SECURITY_AUDIT_REPORT.md CWE-918: Server-Side Request Forgery	2026-03-30 23:57:22 +00:00
Allegro	cf1afb07f2	Merge pull request '[SECURITY] Block Dangerous Docker Volume Mounts (V-012, CVSS 8.7)' (#64 ) from security/fix-docker-privilege into main Some checks failed Nix / nix (ubuntu-latest) (push) Failing after 12s Details Tests / test (push) Failing after 18s Details Docker Build and Publish / build-and-push (push) Failing after 45s Details Nix / nix (macos-latest) (push) Has been cancelled Details	2026-03-30 23:55:50 +00:00
Allegro	ed32487cbe	security: block dangerous Docker volume mounts (V-012, CVSS 8.7) Some checks failed Supply Chain Audit / Scan PR for supply chain risks (pull_request) Successful in 28s Details Tests / test (pull_request) Failing after 29s Details Docker Build and Publish / build-and-push (pull_request) Failing after 42s Details Prevent privilege escalation via Docker socket mount. Changes: - tools/environments/docker.py: Add _is_dangerous_volume() validation - Block docker.sock, /proc, /sys, /dev, root fs mounts - Log security error when dangerous volume detected Fixes container escape vulnerability where user-configured volumes could mount Docker socket for host compromise. CVSS: 8.7 (High) Refs: V-012 in SECURITY_AUDIT_REPORT.md CWE-250: Execution with Unnecessary Privileges	2026-03-30 23:55:45 +00:00
Allegro	37c5e672b5	Merge pull request '[SECURITY] Fix Auth Bypass & CORS Misconfiguration (V-008, V-009)' (#63 ) from security/fix-auth-bypass into main Some checks failed Nix / nix (ubuntu-latest) (push) Failing after 6s Details Docker Build and Publish / build-and-push (push) Has been cancelled Details Nix / nix (macos-latest) (push) Has been cancelled Details Tests / test (push) Has been cancelled Details	2026-03-30 23:55:04 +00:00