Skip to content

fix: comprehensive HTTP tool security hardening & review#222

Open
esafwan wants to merge 2 commits into
developfrom
claude/review-http-tool-pV2wb
Open

fix: comprehensive HTTP tool security hardening & review#222
esafwan wants to merge 2 commits into
developfrom
claude/review-http-tool-pV2wb

Conversation

@esafwan
Copy link
Copy Markdown
Contributor

@esafwan esafwan commented Mar 25, 2026
edited
Loading

Summary

Full security review and hardening of the HTTP tool ecosystem. Two commits:

Commit 1: Activate SSRF protection in http_handler.py

  • validate_url() was defined but never called — agents could freely hit internal IPs, localhost, cloud metadata (169.254.169.254)
  • Now called before every outbound request
  • DNS rebinding protection via socket.getaddrinfo() (hostname → IP check)
  • Blocks 169.254.x.x, 0.0.0.0, ::1, all RFC 1918 ranges
  • HTTP method whitelist: only GET/POST/PUT/PATCH/DELETE/HEAD
  • 10MB response size limit

Commit 2: Harden the broader HTTP tool ecosystem

Security fixes across 6 files:

Fix File Detail
SSRF in _download_content() tool_functions.py Raw requests.get(url) with zero protection — now calls validate_url()
SSRF in URL knowledge extractor knowledge/extractors/url.py User-provided knowledge source URLs now validated
SSRF in image download sdk_tools.py Agent-provided image URLs now validated
CRLF header injection agent_tool_function.py Header key/value pairs checked for \r and \n characters
Reserved param name collision agent_tool_function.py Parameters named url, params, json_data, headers, data, tool_name, method rejected for HTTP tools
Base URL format validation agent_tool_function.py Must be valid http:// or https:// URL with hostname
Content-Length pre-check http_handler.py Checks Content-Length header before downloading full body
Frontend type safety toolCreationForm.utils.ts base_url validated as URL, http_headers typed as {key, value}[]

Files changed

  • huf/ai/http_handler.py — SSRF activation, method whitelist, response limits, Content-Length pre-check
  • huf/ai/tool_functions.py — SSRF protection for _download_content()
  • huf/ai/sdk_tools.py — SSRF protection for image URL downloads
  • huf/ai/knowledge/extractors/url.py — SSRF protection for knowledge URL extraction
  • huf/huf/doctype/agent_tool_function/agent_tool_function.py — base_url, CRLF, reserved param validations
  • frontend/src/components/tools/toolCreationForm.utils.ts — Zod schema improvements

Full review document

A comprehensive review document covering the entire HTTP tool ecosystem (architecture, execution flow, all remaining issues, prioritized improvement plan) is available in the plan file. Key remaining items for future work:

  • Configurable timeout per tool (currently hardcoded 30s)
  • Request audit logging / Agent Tool Call records for HTTP tools
  • Rate limiting per tool per user
  • Backend unit tests (test_agent_tool_function.py is currently empty)
  • HTTP handler integration tests
  • Frontend: header value masking for secrets, common header autocomplete

Test plan

  • Create a GET tool with base_url = https://httpbin.org — verify requests work
  • Try creating a tool with parameter named url — verify rejection
  • Try setting base_url to ftp://invalid — verify rejection
  • Try header with \r\n in value — verify rejection
  • Verify agents cannot request 127.0.0.1, 10.x.x.x, 192.168.x.x, 169.254.169.254
  • Verify agents can still make requests to public external APIs
  • Verify GET and POST tool types work end-to-end with base_url and headers
  • Verify unsupported HTTP methods (e.g. TRACE) are rejected
  • Verify responses larger than 10MB return a structured error
  • Verify _download_content blocks private IPs for file attachments
  • Verify knowledge URL extractor blocks private IPs
  • Frontend: verify base_url validation shows error for invalid URLs
  • Frontend: verify TypeScript compiles cleanly

https://claude.ai/code/session_0185G6EwYpV4GTgKkvJNmCRk

claude added 2 commits March 25, 2026 07:23
@claude
fix: activate SSRF protection and harden HTTP tool handler
8b8940c 
The validate_url() function existed but was never called, leaving
agents free to hit internal IPs, localhost, and cloud metadata
endpoints. This commit:

- Calls validate_url() before every outbound request
- Resolves DNS to prevent rebinding attacks (hostname → IP check)
- Blocks 169.254.x.x (cloud metadata), 0.0.0.0, and IPv6 loopback
- Adds HTTP method whitelist (GET/POST/PUT/PATCH/DELETE/HEAD only)
- Adds 10MB response size limit to prevent memory exhaustion
- Cleans up duplicate imports and formatting

https://claude.ai/code/session_0185G6EwYpV4GTgKkvJNmCRk
@claude
fix: harden HTTP tool ecosystem — SSRF protection, input validation, …
25f5fb9 
…frontend types

Security fixes:
- Add SSRF protection to _download_content() in tool_functions.py
- Add SSRF protection to URL knowledge extractor and image download in sdk_tools.py
- Add CRLF injection prevention for HTTP header key/value pairs
- Add reserved parameter name validation for HTTP tools (url, params, json_data, etc.)
- Add base_url format validation (must be valid http/https URL)

Robustness:
- Add Content-Length pre-check before downloading full response body
- Improve frontend Zod schema: base_url URL validation, typed http_headers array

Also includes auto-formatting by ruff on touched files.

https://claude.ai/code/session_0185G6EwYpV4GTgKkvJNmCRk
@esafwan esafwan changed the title fix: activate SSRF protection and harden HTTP tool handler fix: comprehensive HTTP tool security hardening & review Mar 28, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@esafwan @claude