forgejo_admin/westside-ai-assistant
1
0
Fork 0
Code Issues 13 Pull requests Projects Releases Packages Wiki Activity Actions

Defensive check: reject protocol-relative URLs in api_get path #25

New issue
Open
opened 2026-03-31 00:52:50 +00:00 by forgejo_admin · 0 comments
forgejo_admin commented 2026-03-31 00:52:50 +00:00
Owner
Copy link

Type

Bug

Lineage

Discovered during QA review of PR #24 (generic api_get tool).

Repo

forgejo_admin/westside-ai-assistant

What Broke

The api_get tool's path validation prepends / to paths missing a leading slash, but does not reject protocol-relative URLs like //evil.com/foo. If Claude were to generate such a path, httpx could resolve it as an external request, creating an SSRF vector. Low risk given the LLM intermediary and cluster-internal network, but the defensive check is trivial.

Repro Steps

  1. Call BasketballClient.get("//evil.com/foo")
  2. Observe: httpx may attempt to resolve //evil.com/foo as a protocol-relative URL
  3. Similarly: BasketballClient.get("http://evil.com") could bypass the base URL

Expected Behavior

Paths starting with // or containing :// should be rejected with an error before the HTTP request is made.

Environment

  • Cluster/namespace: westside-ai-assistant (prod)
  • Service version/commit: PR #24 (23-generic-api-get branch, just merged)
  • Related alerts: none — preventive fix

Acceptance Criteria

  • Paths starting with // are rejected with an error
  • Paths containing :// are rejected with an error
  • Normal paths like /admin/players still work
  • Bug no longer reproduces

Related

  • project-westside-basketball
  • westside-ai-assistant #23 (parent feature)
### Type Bug ### Lineage Discovered during QA review of PR #24 (generic api_get tool). ### Repo `forgejo_admin/westside-ai-assistant` ### What Broke The `api_get` tool's path validation prepends `/` to paths missing a leading slash, but does not reject protocol-relative URLs like `//evil.com/foo`. If Claude were to generate such a path, httpx could resolve it as an external request, creating an SSRF vector. Low risk given the LLM intermediary and cluster-internal network, but the defensive check is trivial. ### Repro Steps 1. Call `BasketballClient.get("//evil.com/foo")` 2. Observe: httpx may attempt to resolve `//evil.com/foo` as a protocol-relative URL 3. Similarly: `BasketballClient.get("http://evil.com")` could bypass the base URL ### Expected Behavior Paths starting with `//` or containing `://` should be rejected with an error before the HTTP request is made. ### Environment - Cluster/namespace: westside-ai-assistant (prod) - Service version/commit: PR #24 (`23-generic-api-get` branch, just merged) - Related alerts: none — preventive fix ### Acceptance Criteria - [ ] Paths starting with `//` are rejected with an error - [ ] Paths containing `://` are rejected with an error - [ ] Normal paths like `/admin/players` still work - [ ] Bug no longer reproduces ### Related - `project-westside-basketball` - westside-ai-assistant #23 (parent feature)
Sign in to join this conversation.
No Branch/Tag specified
Branches Tags
main
No results found.
Labels
Clear labels
No items
No labels
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference
forgejo_admin/westside-ai-assistant#25
No description provided.