Skip to content

🧭 fix: Harden User Provided Endpoint URL Protection#13919

Merged
danny-avila merged 1 commit into
devfrom
danny-avila/security-provider-url-ssrf
Jun 23, 2026
Merged

🧭 fix: Harden User Provided Endpoint URL Protection#13919
danny-avila merged 1 commit into
devfrom
danny-avila/security-provider-url-ssrf

Conversation

@danny-avila

Copy link
Copy Markdown
Owner

Summary

I hardened user-provided custom/OpenAI-compatible provider URLs against SSRF and DNS-rebinding paths affecting model fetches, token-config fetches, model-list loading, and chat requests.

  • Validate user-provided base URLs before model fetches and config model loading, while preserving allowedAddresses exemptions.
  • Apply SSRF-safe Axios agents to model fetches, including Ollama /api/tags and OpenAI-compatible /models, and disable redirects on user-provided provider requests.
  • Apply SSRF-safe Undici connection handling to OpenAI-compatible chat/completion config and direct endpoint fetches.
  • Prevent proxy dispatchers/agents from replacing the SSRF-safe connection path for user-provided provider URLs because proxy resolution cannot enforce provider connect-time DNS checks.
  • Extend coverage for validation failures, redirect constraints, connect-time hardening, custom token-config fetches, and initialization wiring.

Change Type

  • Bug fix (non-breaking change which fixes an issue)

Testing

  • Ran npx jest --runTestsByPath src/endpoints/models.spec.ts src/endpoints/openai/config.spec.ts src/endpoints/custom/initialize.spec.ts src/endpoints/openai/initialize.spec.ts src/endpoints/config/models.spec.ts src/auth/agent.spec.ts --runInBand --coverage=false --watch=false.
  • Ran npm --prefix packages/api run build.

Test Configuration:

  • Built packages/data-provider and packages/data-schemas locally before tests so workspace package imports resolved to dist.

Checklist

  • My code adheres to this project
  • I have performed a self-review of my own code
  • I have commented in any complex areas of my code
  • My changes do not introduce new warnings
  • I have written tests demonstrating that my changes are effective or that my feature works
  • Local unit tests pass with my changes

Copy link
Copy Markdown
Owner Author

@codex review

@danny-avila
danny-avila force-pushed the danny-avila/security-provider-url-ssrf branch from 1d26c86 to 553d67b Compare June 23, 2026 16:03

Copy link
Copy Markdown
Owner Author

@codex review

@danny-avila
danny-avila force-pushed the danny-avila/security-provider-url-ssrf branch from 553d67b to 5ad3f3d Compare June 23, 2026 16:07

Copy link
Copy Markdown
Owner Author

@codex review

@chatgpt-codex-connector chatgpt-codex-connector Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 5ad3f3d036

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

  • Open a pull request for review
  • Mark a draft as ready
  • Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

Comment thread packages/api/src/endpoints/custom/initialize.ts
@danny-avila
danny-avila force-pushed the danny-avila/security-provider-url-ssrf branch from 5ad3f3d to d7b3f86 Compare June 23, 2026 16:22

Copy link
Copy Markdown
Owner Author

@codex review

@chatgpt-codex-connector chatgpt-codex-connector Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

💡 Codex Review

if (userProvidesURL && baseURL) {
await validateEndpointURL(baseURL, endpoint, appConfig?.endpoints?.allowedAddresses);

P2 Badge Validate only the Azure URL that will be used

When AZURE_OPENAI_BASEURL is user_provided but the selected Azure model maps to a YAML group with its own baseURL, this validates the stored user URL before mapModelToAzureConfig later replaces reverseProxyUrl with the admin-configured configBaseURL and marks it not user-provided. A stale or blocked user URL can therefore reject an otherwise valid Azure serverless/group request even though that URL is not used; defer validation until after the final URL is chosen and only validate it if it remains user-provided.

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

  • Open a pull request for review
  • Mark a draft as ready
  • Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

Comment thread packages/api/src/endpoints/anthropic/llm.ts Outdated
@danny-avila danny-avila changed the title 🛡️ fix: Harden User Provider URL SSRF Protection 🛡️ fix: Harden User Provided Endpoint URL Protection Jun 23, 2026
@danny-avila danny-avila changed the title 🛡️ fix: Harden User Provided Endpoint URL Protection 🧭 fix: Harden User Provided Endpoint URL Protection Jun 23, 2026
@danny-avila
danny-avila changed the base branch from main to dev June 23, 2026 19:06
@danny-avila
danny-avila force-pushed the danny-avila/security-provider-url-ssrf branch from d7b3f86 to 4382cda Compare June 23, 2026 19:06

Copy link
Copy Markdown
Owner Author

@codex review

Copy link
Copy Markdown
Owner Author

Addressed the Codex review note “Validate only the Azure URL that will be used” in 4382cda65.

I deferred OpenAI/Azure URL validation until after Azure model-group mapping chooses the final reverseProxyUrl, then only validate when baseURLIsUserProvided remains true. This prevents a stale user-stored Azure URL from blocking an admin-configured YAML group/serverless baseURL that replaces it.

Coverage added in packages/api/src/endpoints/openai/initialize.spec.ts for AZURE_OPENAI_BASEURL=user_provided with a selected admin model-group baseURL.

@chatgpt-codex-connector

Copy link
Copy Markdown

Codex Review: Didn't find any major issues. 🚀

Reviewed commit: 4382cda654

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

  • Open a pull request for review
  • Mark a draft as ready
  • Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

@danny-avila
danny-avila marked this pull request as ready for review June 23, 2026 19:50
@danny-avila
danny-avila force-pushed the danny-avila/security-provider-url-ssrf branch from 4382cda to c567ab4 Compare June 23, 2026 19:52
@danny-avila
danny-avila merged commit 0a3448d into dev Jun 23, 2026
17 checks passed
@danny-avila
danny-avila deleted the danny-avila/security-provider-url-ssrf branch June 23, 2026 20:35
fuuuzzy pushed a commit to fuuuzzy/LibreChat that referenced this pull request Jul 7, 2026
ThomasVuNguyen pushed a commit to ThomasVuNguyen/LibreChat that referenced this pull request Jul 15, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant