🛡️ Sentinel: Mitigate SSRF in user-supplied content fetching

.jules/sentinel.md

@@ -2,3 +2,8 @@
 **Vulnerability:** The password reset endpoint explicitly indicated whether an email was registered and performed network-bound email sending synchronously.
 **Learning:** Returning specific error messages for non-existent accounts allows attackers to enumerate users. Synchronous email sending allows timing attacks to distinguish between existing and non-existing accounts.
 **Prevention:** Always return a uniform success response for public endpoints that accept identifiers (e.g., password reset, registration). Perform latency-heavy operations like email sending in a background goroutine to ensure consistent response times.
+
+## 2025-05-22 - [SSRF Protection for User-Supplied Content]
+**Vulnerability:** The application fetched user-supplied resources (like images) using a standard HTTP client without restricting access to internal network addresses.
+**Learning:** Even with a proxy, direct outbound requests from the server to user-controlled URLs pose an SSRF risk. Differentiating between "relay" requests (trusted/admin-configured) and "user-content" requests (untrusted) allows applying stricter security controls where needed without breaking core functionality.
+**Prevention:** Implement a custom `net.Dialer.Control` function to block connections to internal/private IP ranges (RFC 1918, etc.) for clients that handle untrusted URLs.

common/client/init.go

@@ -3,14 +3,17 @@ package client
 import (
 	"crypto/tls"
 	"fmt"
+	"net"
 	"net/http"
 	"net/url"
+	"syscall"
 	"time"
 
 	"github.com/Laisky/zap"
 
 	"github.com/songquanpeng/one-api/common/config"
 	"github.com/songquanpeng/one-api/common/logger"
+	"github.com/songquanpeng/one-api/common/network"
 )
 
 // HTTPClient is the default outbound client used for relay requests.
@@ -24,9 +27,30 @@ var UserContentRequestHTTPClient *http.Client
 
 // Init builds the shared HTTP clients with proxy and timeout settings derived from configuration.
 func Init() {
-	// Create a transport with HTTP/2 disabled to avoid stream errors in CI environments
-	createTransport := func(proxyURL *url.URL) *http.Transport {
+	// Create a transport with HTTP/2 disabled to avoid stream errors in CI environments.
+	// Optionally blocks internal IP addresses to mitigate SSRF risks.
+	createTransport := func(proxyURL *url.URL, blockInternal bool) *http.Transport {
+		dialer := &net.Dialer{
+			Timeout:   30 * time.Second,
+			KeepAlive: 30 * time.Second,
+		}
+
+		if blockInternal {
+			dialer.Control = func(networkName, address string, c syscall.RawConn) error {
+				host, _, err := net.SplitHostPort(address)
+				if err != nil {
+					return err
+				}
+				ip := net.ParseIP(host)
+				if ip != nil && network.IsInternalIP(ip) {
+					return fmt.Errorf("SSRF protection: internal IP %s is blocked", ip)
+				}
+				return nil
+			}
+		}
+
 		transport := &http.Transport{
+			DialContext:  dialer.DialContext,
 			TLSNextProto: make(map[string]func(authority string, c *tls.Conn) http.RoundTripper), // Disable HTTP/2
 		}
 		if proxyURL != nil {
@@ -42,12 +66,12 @@ func Init() {
 			logger.Logger.Fatal(fmt.Sprintf("USER_CONTENT_REQUEST_PROXY set but invalid: %s", config.UserContentRequestProxy))
 		}
 		UserContentRequestHTTPClient = &http.Client{
-			Transport: createTransport(proxyURL),
+			Transport: createTransport(proxyURL, config.BlockInternalUserContentRequests),
 			Timeout:   time.Second * time.Duration(config.UserContentRequestTimeout),
 		}
 	} else {
 		UserContentRequestHTTPClient = &http.Client{
-			Transport: createTransport(nil),
+			Transport: createTransport(nil, config.BlockInternalUserContentRequests),
 			Timeout:   30 * time.Second, // Set a reasonable default timeout
 		}
 	}
@@ -58,9 +82,9 @@ func Init() {
 		if err != nil {
 			logger.Logger.Fatal(fmt.Sprintf("RELAY_PROXY set but invalid: %s", config.RelayProxy))
 		}
-		transport = createTransport(proxyURL)
+		transport = createTransport(proxyURL, false)
 	} else {
-		transport = createTransport(nil)
+		transport = createTransport(nil, false)
 	}
 
 	if config.RelayTimeout == 0 {

common/client/init_test.go

@@ -28,3 +28,16 @@ func TestInit(t *testing.T) {
 	require.NotNil(t, HTTPClient)
 	require.NotNil(t, ImpatientHTTPClient)
 }
+
+func TestUserContentRequestHTTPClient_SSRF(t *testing.T) {
+	// Test that UserContentRequestHTTPClient blocks internal IPs
+	Init()
+
+	// Try to fetch from localhost (which is an internal IP)
+	// We use a random port that is likely not listening to avoid connection refused
+	// but the DialControl should block it before it even tries to connect.
+	_, err := UserContentRequestHTTPClient.Get("http://127.0.0.1:12345")
+	require.Error(t, err)
+	require.Contains(t, err.Error(), "SSRF protection")
+	require.Contains(t, err.Error(), "blocked")
+}

common/config/config.go

@@ -659,6 +659,14 @@ var (
 	// Unit: seconds
 	UserContentRequestTimeout = env.Int("USER_CONTENT_REQUEST_TIMEOUT", 30)
 
+	// BlockInternalUserContentRequests determines whether to block requests to
+	// internal network addresses (localhost, private IPs) when fetching
+	// user-supplied content. This is a critical security feature to prevent SSRF.
+	//
+	// Environment variable: BLOCK_INTERNAL_USER_CONTENT_REQUESTS
+	// Default: true
+	BlockInternalUserContentRequests = env.Bool("BLOCK_INTERNAL_USER_CONTENT_REQUESTS", true)
+
 	// MaxInlineImageSizeMB limits the size of images that can be inlined as base64
 	// to prevent oversized payloads from overwhelming upstream providers.
 	//

common/network/ip.go

@@ -55,3 +55,8 @@ func IsIpInSubnets(ctx context.Context, ip string, subnets string) bool {
 	}
 	return false
 }
+
+// IsInternalIP returns true if the IP is a loopback, link-local, private, or unspecified address.
+func IsInternalIP(ip net.IP) bool {
+	return ip.IsLoopback() || ip.IsLinkLocalUnicast() || ip.IsPrivate() || ip.IsUnspecified()
+}