Pulse/pkg/securityutil
rcourtman b6f7091952 fix: block SSRF bypass through HTTP proxy in restricted outbound client
NewRestrictedOutboundHTTPClient validates target IPs via a custom
DialContext, but when an HTTP proxy is configured (HTTP_PROXY env var)
DialContext only validates the proxy's address — the actual target host
is never checked. This allows requests to cloud metadata service
addresses (169.254.169.254) and other blocked IPs through the proxy.

Add a restrictedRoundTripper wrapper that validates the request URL
hostname against resolvePermittedOutboundIP before forwarding. This
provides defense-in-depth that works regardless of proxy configuration,
while the existing DialContext guard continues to prevent DNS rebinding
for direct connections.
2026-06-26 13:05:23 +01:00
..
httpurl.go Allow insecure dev HTTP agent runtime URLs 2026-04-23 13:48:54 +01:00
outbound_http.go fix: block SSRF bypass through HTTP proxy in restricted outbound client 2026-06-26 13:05:23 +01:00
outbound_http_test.go fix: block SSRF bypass through HTTP proxy in restricted outbound client 2026-06-26 13:05:23 +01:00
websocket_origin.go Allow insecure dev HTTP agent runtime URLs 2026-04-23 13:48:54 +01:00