feat(alerting): SSRF guard on outbound connection URL

Rejects webhook URLs that resolve to loopback, link-local, or RFC-1918 private ranges (IPv4 + IPv6 ULA fc00::/7). Enforced on both create and update in OutboundConnectionServiceImpl before persistence; returns 400 Bad Request with "private or loopback" in the body. Bypass via `cameleer.server.outbound-http.allow-private-targets=true` for dev environments where webhooks legitimately point at local services. Production default is `false`. Test profile sets the flag to `true` in application-test.yml so the existing ITs that post webhooks to WireMock on https://localhost:PORT keep working. A dedicated OutboundConnectionSsrfIT overrides the flag back to false (via @TestPropertySource + @DirtiesContext) to exercise the reject path end-to-end through the admin controller. Plan 01 scope; required before SaaS exposure (spec §17). Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-04-20 14:17:44 +02:00
parent f4c2cb120b
commit 5ebc729b82
6 changed files with 240 additions and 1 deletions
--- a/cameleer-server-app/src/test/java/com/cameleer/server/app/outbound/SsrfGuardTest.java
+++ b/cameleer-server-app/src/test/java/com/cameleer/server/app/outbound/SsrfGuardTest.java
@@ -0,0 +1,73 @@
+package com.cameleer.server.app.outbound;
+
+import org.junit.jupiter.api.Test;
+
+import java.net.URI;
+import java.util.Set;
+
+import static org.assertj.core.api.Assertions.assertThat;
+import static org.assertj.core.api.Assertions.assertThatThrownBy;
+
+class SsrfGuardTest {
+
+    private final SsrfGuard guard = new SsrfGuard(false);  // allow-private disabled by default
+
+    @Test
+    void rejectsLoopbackIpv4() {
+        assertThatThrownBy(() -> guard.validate(URI.create("https://127.0.0.1/webhook")))
+            .isInstanceOf(IllegalArgumentException.class)
+            .hasMessageContaining("private or loopback");
+    }
+
+    @Test
+    void rejectsLocalhostHostname() {
+        assertThatThrownBy(() -> guard.validate(URI.create("https://localhost:8080/x")))
+            .isInstanceOf(IllegalArgumentException.class);
+    }
+
+    @Test
+    void rejectsRfc1918Ranges() {
+        for (String url : Set.of(
+            "https://10.0.0.1/x",
+            "https://172.16.5.6/x",
+            "https://192.168.1.1/x"
+        )) {
+            assertThatThrownBy(() -> guard.validate(URI.create(url)))
+                .as(url)
+                .isInstanceOf(IllegalArgumentException.class);
+        }
+    }
+
+    @Test
+    void rejectsLinkLocal() {
+        assertThatThrownBy(() -> guard.validate(URI.create("https://169.254.169.254/latest/meta-data/")))
+            .isInstanceOf(IllegalArgumentException.class);
+    }
+
+    @Test
+    void rejectsIpv6Loopback() {
+        assertThatThrownBy(() -> guard.validate(URI.create("https://[::1]/x")))
+            .isInstanceOf(IllegalArgumentException.class);
+    }
+
+    @Test
+    void rejectsIpv6UniqueLocal() {
+        assertThatThrownBy(() -> guard.validate(URI.create("https://[fc00::1]/x")))
+            .isInstanceOf(IllegalArgumentException.class);
+    }
+
+    @Test
+    void acceptsPublicHttps() {
+        // DNS resolution happens inside validate(); this test relies on a public hostname.
+        // Use a literal public IP to avoid network flakiness.
+        // 8.8.8.8 is a public Google DNS IP — not in any private range.
+        assertThat(new SsrfGuard(false)).isNotNull();
+        guard.validate(URI.create("https://8.8.8.8/"));  // does not throw
+    }
+
+    @Test
+    void allowPrivateFlagBypassesCheck() {
+        SsrfGuard permissive = new SsrfGuard(true);
+        permissive.validate(URI.create("https://127.0.0.1/"));  // must not throw
+    }
+}
--- a/cameleer-server-app/src/test/java/com/cameleer/server/app/outbound/controller/OutboundConnectionSsrfIT.java
+++ b/cameleer-server-app/src/test/java/com/cameleer/server/app/outbound/controller/OutboundConnectionSsrfIT.java
@@ -0,0 +1,67 @@
+package com.cameleer.server.app.outbound.controller;
+
+import com.cameleer.server.app.AbstractPostgresIT;
+import com.cameleer.server.app.TestSecurityHelper;
+import org.junit.jupiter.api.AfterEach;
+import org.junit.jupiter.api.BeforeEach;
+import org.junit.jupiter.api.Test;
+import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.boot.test.web.client.TestRestTemplate;
+import org.springframework.http.HttpEntity;
+import org.springframework.http.HttpMethod;
+import org.springframework.http.HttpStatus;
+import org.springframework.http.ResponseEntity;
+import org.springframework.test.annotation.DirtiesContext;
+import org.springframework.test.context.TestPropertySource;
+
+import static org.assertj.core.api.Assertions.assertThat;
+
+/**
+ * Dedicated IT that overrides the test-profile default `allow-private-targets=true`
+ * back to `false` so the SSRF guard's production behavior (reject loopback) is
+ * exercised end-to-end through the admin controller.
+ *
+ * Uses {@link DirtiesContext} to avoid polluting the shared context used by the
+ * other ITs which rely on the flag being `true` to hit WireMock on localhost.
+ */
+@TestPropertySource(properties = "cameleer.server.outbound-http.allow-private-targets=false")
+@DirtiesContext
+class OutboundConnectionSsrfIT extends AbstractPostgresIT {
+
+    @Autowired private TestRestTemplate restTemplate;
+    @Autowired private TestSecurityHelper securityHelper;
+
+    private String adminJwt;
+
+    @BeforeEach
+    void setUp() {
+        adminJwt = securityHelper.adminToken();
+        // Seed admin user row since users(user_id) is an FK target.
+        jdbcTemplate.update(
+                "INSERT INTO users (user_id, provider, email, display_name) VALUES (?, 'test', ?, ?) ON CONFLICT (user_id) DO NOTHING",
+                "test-admin", "test-admin@example.com", "test-admin");
+        jdbcTemplate.update("DELETE FROM outbound_connections WHERE tenant_id = 'default'");
+    }
+
+    @AfterEach
+    void cleanup() {
+        jdbcTemplate.update("DELETE FROM outbound_connections WHERE tenant_id = 'default'");
+        jdbcTemplate.update("DELETE FROM users WHERE user_id = 'test-admin'");
+    }
+
+    @Test
+    void rejectsLoopbackUrlOnCreate() {
+        String body = """
+                {"name":"evil","url":"https://127.0.0.1/abuse","method":"POST",
+                 "tlsTrustMode":"SYSTEM_DEFAULT","auth":{}}""";
+
+        ResponseEntity<String> resp = restTemplate.exchange(
+                "/api/v1/admin/outbound-connections", HttpMethod.POST,
+                new HttpEntity<>(body, securityHelper.authHeaders(adminJwt)),
+                String.class);
+
+        assertThat(resp.getStatusCode()).isEqualTo(HttpStatus.BAD_REQUEST);
+        assertThat(resp.getBody()).isNotNull();
+        assertThat(resp.getBody()).contains("private or loopback");
+    }
+}
--- a/cameleer-server-app/src/test/resources/application-test.yml
+++ b/cameleer-server-app/src/test/resources/application-test.yml
@@ -17,3 +17,5 @@ cameleer:
      bootstraptokenprevious: old-bootstrap-token
      infrastructureendpoints: true
      jwtsecret: test-jwt-secret-for-integration-tests-only
+    outbound-http:
+      allow-private-targets: true