Skip to content

feat: filter integration connections on Phase Cloud #712

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
rohan-chaturvedi merged 18 commits into from
Jan 10, 2026
Merged

feat: filter integration connections on Phase Cloud #712

rohan-chaturvedi merged 18 commits into from
Jan 10, 2026

Conversation

@nimish-ks
Copy link
Member

@nimish-ks nimish-ks commented Dec 26, 2025
edited
Loading

🔍 Overview

This PR adds a network filtering utility that restricts the targets to which you can set up an integration on Phase Cloud. This provides a robust layer of protection against Server-Side Request Forgery (SSRF) by preventing the backend from making requests to internal, private, or reserved networks.

💡 Proposed Changes

  • New Utility: Created backend/api/utils/network.py containing validate_url_is_safe and is_ip_private.
  • Comprehensive Blacklist: Implemented BLOCKED_NETWORKS to filter out high-risk IP ranges:
BLOCKED_NETWORKS = [
    ipaddress.ip_network("100.64.0.0/10"), # Carrier Grade NAT (used by Tailscale, Alibaba Cloud metadata)
    ipaddress.ip_network("192.0.0.0/24"), # IETF Protocol Assignments
    ipaddress.ip_network("198.18.0.0/15"), # Network Benchmark
    ipaddress.ip_network("169.254.0.0/16"),  # Link-Local / Cloud Metadata
    ipaddress.ip_network("192.0.0.192/32"),  # Oracle Cloud Metadata
    ipaddress.ip_network("127.0.0.0/8"),     # Loopback
    ipaddress.ip_network("0.0.0.0/8"),       # Current network
    ipaddress.ip_network("240.0.0.0/4"),     # Reserved
    ipaddress.ip_network("::1/128"),         # IPv6 Loopback
    ipaddress.ip_network("fe80::/10"),       # IPv6 Link-Local
    ipaddress.ip_network("fc00::/7"),        # IPv6 Unique Local Address
    ipaddress.ip_network("224.0.0.0/4"),     # Multicast (IPv4)
    ipaddress.ip_network("ff00::/8"),        # Multicast (IPv6)
    ipaddress.ip_network("fec0::/10"),       # IPv6 Site-Local (Deprecated)
]
  • Integration Points: Applied this validation to all areas where user-supplied URLs are used for outbound requests:
    • AWS External Identities: Validates stsEndpoint in CreateIdentityMutation and UpdateIdentityMutation.
    • AWS IAM Auth: Runtime safety check in aws_iam_auth view.
    • Vault Sync: Validates VAULT_ADDR.
    • Nomad Sync: Validates NOMAD_ADDR.
    • GitLab Sync: Validates the GitLab host URL for self-hosted instances.

📝 Release Notes

  • Security Hardening: Added system-wide SSRF protection for integrations. All user-supplied integration hostnames/URLs are now validated against IANA-reserved and internal networks.
  • Finding Ref: V15
  • Severity: Medium

🧪 Testing

  • Negative Tests: Verified that attempting to use internal IPs (e.g., 127.0.0.1, 169.254.169.254, 192.168.1.1) as integration endpoints results in a ValidationError.
  • Positive Tests: Confirmed that standard public endpoints (e.g., sts.amazonaws.com, gitlab.com) continue to work correctly.
  • Hostname Resolution: Verified that the utility correctly resolves hostnames to IPs before checking the blacklist.

🎯 Reviewer Focus

  • backend/api/utils/network.py: Review the validate_url_is_safe logic and the list of blocked networks.
  • Identity and Sync modules: Ensure the validation is placed correctly before network calls are initiated.

➕ Additional Context

Finding reported by kolega.dev. (only for AWS STS endpoint)

✨ How to Test the Changes Locally

  1. Attempt to create an AWS External Identity via GraphQL with an stsEndpoint pointing to http://127.0.0.1:8000.
  2. Attempt to configure a Vault Sync integration with a vault_addr pointing to an internal IP (e.g., http://10.0.0.5).
  3. Verify that the UI/API returns an appropriate validation error: URL resolves to a restricted IP address.

💚 Did You...

  • Ensure linting passes (code style checks)?
  • Verify the app builds locally?
  • Manually test the changes on different integrations?

@nimish-ks
feat: add network utility functions for IP validation and URL safety …
859790b 
…checks

- Introduced `is_ip_private` function to determine if an IP address is private or belongs to blocked networks.
- Added `validate_url_is_safe` function to validate URLs against private/internal IP addresses and raise validation errors if necessary.
- Included additional blocked networks in the validation logic.
@nimish-ks
feat: enhance Vault client authentication with URL safety validation
25b42b0 
- Added a check to validate the Vault address URL for safety when the application host is set to "cloud".
- Integrated the `validate_url_is_safe` function to ensure secure URL usage during authentication.
@nimish-ks
feat: validate API host URL for safety in cloud environment
0664e80 
- Added a check to validate the API host URL when the application host is set to "cloud".
- Integrated the `validate_url_is_safe` function to ensure secure URL usage during API host normalization.
@nimish-ks
feat: validate GitLab host URL for safety in cloud environment
cd92e03 
- Added a check to validate the GitLab host URL when the application host is set to "cloud".
- Integrated the `validate_url_is_safe` function to ensure secure URL usage during GitLab credential retrieval.
@nimish-ks
feat: validate Nomad address URL for safety in cloud environment
2234f46 
- Added a check to validate the Nomad address URL when the application host is set to "cloud".
- Integrated the `validate_url_is_safe` function to ensure secure URL usage during Nomad token retrieval and secret synchronization.
@cursor
Copy link

cursor bot commented Dec 26, 2025

You have run out of free Bugbot PR reviews for this billing cycle. This will reset on January 13.

To receive reviews on all of your PRs, visit the Cursor dashboard to activate Pro and start your 14-day free trial.

@nimish-ks nimish-ks self-assigned this Dec 26, 2025
@nimish-ks nimish-ks marked this pull request as draft December 26, 2025 11:55
@nimish-ks nimish-ks marked this pull request as ready for review January 9, 2026 10:22
@rohan-chaturvedi rohan-chaturvedi merged commit e20d803 into main Jan 10, 2026
4 checks passed
@rohan-chaturvedi rohan-chaturvedi deleted the feat--filter-integration-connections branch January 10, 2026 09:33
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@rohan-chaturvedi rohan-chaturvedi rohan-chaturvedi approved these changes

Assignees

@nimish-ks nimish-ks

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@nimish-ks @rohan-chaturvedi