fix: ssrf validation for oauth#39505
Conversation
|
Looks like this PR is ready to merge! 🎉 |
🦋 Changeset detectedLatest commit: aea73a1 The changes in this PR will be included in the next version bump. This PR includes changesets to release 41 packages
Not sure what this means? Click here to learn what changesets are. Click here if you're a maintainer who wants to add another changeset to this PR |
WalkthroughA patch was released that disables SSRF validation for OAuth token and identity endpoint requests by adding Changes
Estimated code review effort🎯 2 (Simple) | ⏱️ ~8 minutes Suggested labels
🚥 Pre-merge checks | ✅ 5✅ Passed checks (5 passed)
✏️ Tip: You can configure your own custom pre-merge checks in the settings. Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
|
/jira CORE |
Codecov Report✅ All modified and coverable lines are covered by tests. Additional details and impacted files@@ Coverage Diff @@
## develop #39505 +/- ##
===========================================
+ Coverage 70.88% 70.91% +0.02%
===========================================
Files 3197 3197
Lines 113337 113337
Branches 20531 20530 -1
===========================================
+ Hits 80342 80374 +32
+ Misses 30948 30913 -35
- Partials 2047 2050 +3
Flags with carried forward coverage won't be shown. Click here to find out more. 🚀 New features to boost your workflow:
|
![cubic-dev-ai[bot]](https://avatars.githubusercontent.com/in/1082092?s=60&v=4){kind=small}
![coderabbitai[bot]](https://avatars.githubusercontent.com/in/347564?s=60&v=4){kind=small}
There was a problem hiding this comment.
Caution
Some comments are outside the diff and can’t be posted inline due to platform limitations.
⚠️ Outside diff range comments (1)
apps/meteor/app/custom-oauth/server/custom_oauth_server.js (1)
139-145:⚠️ Potential issue | 🔴 CriticalDon't bypass SSRF protection for configurable OAuth endpoints.
ignoreSsrfValidation: truedisables the full private-range / metadata / DNS-pinning guard for both requests, andthis.tokenPath/this.identityPathare built from admin-configurable provider URLs. That turns a login regression fix into a blanket SSRF escape hatch and can leak the client secret or bearer token to internal services. Please keep validation on and solve the internal-IdP case with a narrow allowlist or an explicit opt-in for private-network OAuth endpoints instead of disabling the guard entirely.Also applies to: 179-180
🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed. In `@apps/meteor/app/custom-oauth/server/custom_oauth_server.js` around lines 139 - 145, The fetch calls that use this.tokenPath and this.identityPath must not set ignoreSsrfValidation: true; remove that flag and keep SSRF validation enabled, and implement a safe opt-in/allowlist for private-network IdPs instead: validate the configured provider URL with the existing SSRF validator before calling fetch, or add an explicit admin-only provider flag (e.g., provider.allowPrivateNetworkOAuth or global allowPrivateOAuth) that, when set, records consent and runs a narrow hostname/CIDR allowlist check before permitting internal-network requests; apply this change to the fetch usage around tokenPath and the similar identityPath fetch (the same pattern at the other location mentioned) so no blanket SSRF bypass is used.
🧹 Nitpick comments (1)
apps/meteor/app/custom-oauth/server/custom_oauth_server.js (1)
140-140: Remove the new inline SECURITY comments.Please keep the rationale in the PR/commit message or an extracted helper name instead of implementation comments.
As per coding guidelines: "Avoid code comments in the implementation".
Also applies to: 179-179
🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed. In `@apps/meteor/app/custom-oauth/server/custom_oauth_server.js` at line 140, Remove the inline "SECURITY" comments in apps/meteor/app/custom-oauth/server/custom_oauth_server.js (the comments at the URL-configuration check and the similar one later) and instead capture the rationale outside the implementation—either in the PR/commit message or by renaming the helper/function involved to make intent explicit (e.g., change the helper name that controls the URL check to something self-documenting like allowUrlConfigOnlyForPrivilegedUsers). Do not leave explanatory comments in the code; ensure the code itself and any helper names clearly convey why the check is relaxed.
🤖 Prompt for all review comments with AI agents
Verify each finding against the current code and only fix it if needed.
Outside diff comments:
In `@apps/meteor/app/custom-oauth/server/custom_oauth_server.js`:
- Around line 139-145: The fetch calls that use this.tokenPath and
this.identityPath must not set ignoreSsrfValidation: true; remove that flag and
keep SSRF validation enabled, and implement a safe opt-in/allowlist for
private-network IdPs instead: validate the configured provider URL with the
existing SSRF validator before calling fetch, or add an explicit admin-only
provider flag (e.g., provider.allowPrivateNetworkOAuth or global
allowPrivateOAuth) that, when set, records consent and runs a narrow
hostname/CIDR allowlist check before permitting internal-network requests; apply
this change to the fetch usage around tokenPath and the similar identityPath
fetch (the same pattern at the other location mentioned) so no blanket SSRF
bypass is used.
---
Nitpick comments:
In `@apps/meteor/app/custom-oauth/server/custom_oauth_server.js`:
- Line 140: Remove the inline "SECURITY" comments in
apps/meteor/app/custom-oauth/server/custom_oauth_server.js (the comments at the
URL-configuration check and the similar one later) and instead capture the
rationale outside the implementation—either in the PR/commit message or by
renaming the helper/function involved to make intent explicit (e.g., change the
helper name that controls the URL check to something self-documenting like
allowUrlConfigOnlyForPrivilegedUsers). Do not leave explanatory comments in the
code; ensure the code itself and any helper names clearly convey why the check
is relaxed.
ℹ️ Review info
⚙️ Run configuration
Configuration used: Organization UI
Review profile: CHILL
Plan: Pro
Run ID: 177bc36b-0366-49bc-a8bd-9ca6bec672bc
📒 Files selected for processing (2)
.changeset/unlucky-impalas-matter.mdapps/meteor/app/custom-oauth/server/custom_oauth_server.js
📜 Review details
⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (1)
- GitHub Check: cubic · AI code reviewer
🧰 Additional context used
📓 Path-based instructions (1)
**/*.{ts,tsx,js}
📄 CodeRabbit inference engine (.cursor/rules/playwright.mdc)
**/*.{ts,tsx,js}: Write concise, technical TypeScript/JavaScript with accurate typing in Playwright tests
Avoid code comments in the implementation
Files:
apps/meteor/app/custom-oauth/server/custom_oauth_server.js
🧠 Learnings (3)
📚 Learning: 2026-03-09T23:46:48.340Z
Learnt from: ricardogarim
Repo: RocketChat/Rocket.Chat PR: 39492
File: apps/meteor/app/oauth2-server-config/server/oauth/oauth2-server.ts:22-24
Timestamp: 2026-03-09T23:46:48.340Z
Learning: In `apps/meteor/app/oauth2-server-config/server/oauth/oauth2-server.ts`, the `oAuth2ServerAuth` function's `authorization` field in `partialRequest` is exclusively expected to carry Bearer tokens. Basic authentication is not supported in this OAuth flow, so there is no need to guard against non-Bearer schemes when extracting the token from the `Authorization` header.
Applied to files:
apps/meteor/app/custom-oauth/server/custom_oauth_server.js
📚 Learning: 2026-02-24T19:09:09.561Z
Learnt from: ahmed-n-abdeltwab
Repo: RocketChat/Rocket.Chat PR: 38974
File: apps/meteor/app/api/server/v1/im.ts:220-221
Timestamp: 2026-02-24T19:09:09.561Z
Learning: In RocketChat/Rocket.Chat OpenAPI migration PRs for apps/meteor/app/api/server/v1 endpoints, maintainers prefer to avoid any logic changes; style-only cleanups (like removing inline comments) may be deferred to follow-ups to keep scope tight.
Applied to files:
apps/meteor/app/custom-oauth/server/custom_oauth_server.js.changeset/unlucky-impalas-matter.md
📚 Learning: 2026-02-24T19:05:56.710Z
Learnt from: ahmed-n-abdeltwab
Repo: RocketChat/Rocket.Chat PR: 0
File: :0-0
Timestamp: 2026-02-24T19:05:56.710Z
Learning: Rocket.Chat repo context: When a workspace manifest on develop already pins a dependency version (e.g., packages/web-ui-registration → "rocket.chat/ui-contexts": "27.0.1"), a lockfile change in a feature PR that upgrades only that dependency’s resolution is considered a manifest-driven sync and can be kept, preferably as a small "chore: sync yarn.lock with manifests" commit.
Applied to files:
.changeset/unlucky-impalas-matter.md
🔇 Additional comments (1)
.changeset/unlucky-impalas-matter.md (1)
5-5: Security controls for OAuth SSRF validation are in place and properly documented in the code. The OAuth provider URLs can only be configured by workspace administrators (via theadd-oauth-servicepermission restricted to admin role), making the SSRF validation bypass acceptable and secure. The implementation includes explicit security comments explaining this rationale.
KevLehman
added
the
stat: QA assured
dionisio-bot
bot
added
the
stat: ready to merge
|
/patch |
|
Pull request #39517 added to Project: "Patch 8.2.1" |
3 participants
Proposed changes (including videos or screenshots)
Issue(s)
Fixes #39328
Steps to test or reproduce
Further comments
Task: CORE-1938
Summary by CodeRabbit