sec: enforce Skuld callback host allowlist at enqueue time#15
Merged
Conversation
POST /v1/jobs/enqueue only checked that `url` was a non-empty string and queued it; the worker (worker/src/jobs/app-callback.ts) was the sole place enforcing SKULD_HOST_ALLOWLIST. An app holding the scoped SKULD_ENQUEUE_KEY could enqueue a callback to any host and only get rejected late, at worker delivery, after retries — poor DX and defense-in-depth gap flagged by the Svalinn/deepsec scan (SSRF, HIGH). Validate the callback host against the same allowlist at enqueue time: parse `new URL(url)`, reject (400) any host not on config.skuldHostAllowlist. Fail closed — an empty allowlist refuses everything. Mirrors the worker check and reads the same SKULD_HOST_ALLOWLIST var, so one config line covers both layers (already set on the control-plane container in prod). Host-allowlist, not IP-range blocking: legit callbacks target internal container hosts, so blocking RFC1918 would break the feature. Card: Brokk 642b42ba (svalinn:hauldr:deepsec:ssrf) Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
O que
Valida o host da callback URL contra a allowlist no enqueue (
POST /v1/jobs/enqueue), não só na entrega pelo worker.Por quê (Svalinn/deepsec — SSRF, HIGH)
O endpoint só checava
typeof url === 'string'e enfileirava. A única defesa era o worker (worker/src/jobs/app-callback.ts), que rejeita host fora deSKULD_HOST_ALLOWLISTna entrega — tarde, após retries. Uma app com aSKULD_ENQUEUE_KEY(chave escopada, distribuída às instâncias) podia enfileirar callback para host interno.Análise
SKULD_HOST_ALLOWLISTdo worker → 1 linha de config cobre as duas camadas. Já setada no container do control-plane em prod (skuld-sink:8080,maglink.coldcodelabs.com), então o fail-closed não regride enqueues legítimos.Aceite (verificado por teste de lógica, 8/8)
Card Brokk:
642b42ba-069f-41bf-84d6-5d92c08f0d53(svalinn:hauldr:deepsec:ssrf)🤖 Generated with Claude Code