Skip to content

fix: enforce https in webhook urls#1362

Open
AngeloDanducci wants to merge 6 commits into
generative-computing:mainfrom
AngeloDanducci:ad-1246-0
Open

fix: enforce https in webhook urls#1362
AngeloDanducci wants to merge 6 commits into
generative-computing:mainfrom
AngeloDanducci:ad-1246-0

Conversation

@AngeloDanducci

Copy link
Copy Markdown
Contributor

Pull Request

Issue

Fixes # - Partial for #1246

Description

Security hardening to enforce https and block ssrf targets

Also updated the formatting in utils.py to match our contributing guidelines - I assume I will continue to find some RST for the foreseeable future.

Testing

  • Tests added to the respective file if code was changed
  • New code has 100% coverage if code was added
  • Ensure existing tests and github automation passes (a maintainer will kick off the github automation when the rest of the PR is populated)

Attribution

  • AI coding assistants used

Adding a new component, requirement, sampling strategy, or tool?

If your PR adds or modifies one of the types below, check the matching box. A checklist of type-specific review items will be posted as a comment.

  • Component
  • Requirement
  • Sampling Strategy
  • Tool

NOTE: Please ensure you have an issue that has been acknowledged by a core contributor and routed you to open a pull request against this repository. Otherwise, please open an issue before continuing with this pull request.

Signed-off-by: AngeloDanducci <angelo.danducci.ii@ibm.com>
@AngeloDanducci AngeloDanducci requested review from a team, jakelorocco and nrfulton as code owners June 30, 2026 23:06
@AngeloDanducci AngeloDanducci requested a review from ajbozarth June 30, 2026 23:06
@github-actions github-actions Bot added the bug Something isn't working label Jun 30, 2026
Comment thread mellea/core/utils.py Outdated
Comment on lines +515 to +523
_SSRF_BLOCKS = (
ipaddress.ip_network("169.254.0.0/16"), # link-local / AWS IMDS
ipaddress.ip_network("127.0.0.0/8"), # loopback
ipaddress.ip_network("10.0.0.0/8"), # RFC-1918
ipaddress.ip_network("172.16.0.0/12"), # RFC-1918
ipaddress.ip_network("192.168.0.0/16"), # RFC-1918
ipaddress.ip_network("::1/128"), # IPv6 loopback
ipaddress.ip_network("fe80::/10"), # IPv6 link-local
)

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

we could also use something like this:

import ipaddress
addr = ipaddress.ip_address(hostname)
if addr.is_loopback or addr.is_link_local or addr.is_private or addr.is_unspecified or addr.is_reserved:
    # block

explicit list is nice in that it's easier to audit, but then we have to keep it up to date (for example, should we include 0.0.0.0 and/or ::). don't have a strong opinion on which way is better (that's why just a comment rather than an explicit suggestion), wdyt?

Copy link
Copy Markdown
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Valid question and definitely easier to maintain - though I think is_private is a superset of the others.

I think this would be fine but this also brings up one other question which is do we think this is sufficient or do we also need to guard against dns rebinding @psschwei ?

@psschwei psschwei left a comment

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Fixing the docstrings is good and we should keep that.

Enforcing https for forwarding logs is probably fine to keep too.

But I don't think we need the denylist. The threat it's protecting against requires the attacker to already have control of the environment, which would mean we have much bigger problems. So I would drop that part completely.

Signed-off-by: AngeloDanducci <angelo.danducci.ii@ibm.com>
@AngeloDanducci AngeloDanducci requested a review from psschwei July 1, 2026 20:11
@psschwei

psschwei commented Jul 1, 2026

Copy link
Copy Markdown
Member

Actually now that I think about it, i'm a little torn. If we require https, and someone wants to test things out locally, then they have to hit an HTTPS endpoint on their machine. I don't know if that's the right behavior or not (might be good for someone who uses this functionality more to weigh in too)

@jakelorocco

Copy link
Copy Markdown
Contributor

I agree. The security risk seems minor.

  • I would suggest we edit the PR title to mention only https (so that it's not misleading when merged).
  • Maybe we can add a flag or something for http development like (MELLEA_LOGGER_INSECURE_HTTP_ALLOWED?).

@AngeloDanducci AngeloDanducci changed the title fix: enforce https and block ssrf targets fix: enforce https in webhook urls Jul 2, 2026
Signed-off-by: AngeloDanducci <angelo.danducci.ii@ibm.com>
@AngeloDanducci

Copy link
Copy Markdown
Contributor Author

Edited PR title, added flag to allow http when desired.

@AngeloDanducci AngeloDanducci enabled auto-merge July 2, 2026 16:15
@psschwei psschwei dismissed their stale review July 2, 2026 16:20

requested changes were made

@psschwei psschwei left a comment

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

one nit and one question:

do the changes we introduce here need an update in docs/docs/observability/logging.md ?

otherwise LGTM

Comment thread mellea/core/utils.py Outdated
AngeloDanducci and others added 3 commits July 2, 2026 14:23
Co-authored-by: Paul Schweigert <paul@paulschweigert.com>
Signed-off-by: Angelo Danducci <angelo.danducci.ii@ibm.com>
Signed-off-by: AngeloDanducci <angelo.danducci.ii@ibm.com>
@AngeloDanducci AngeloDanducci disabled auto-merge July 2, 2026 18:32

@psschwei psschwei left a comment

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

lgtm

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

bug Something isn't working

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants