security: close audit findings #19–#23 and harden Docker setup (#24)

#19 MFA QR code: render locally via qrcode package, remove external qrserver.com request #20 Webhook SSRF: add ssrf-guard.ts with DNS-verified IP blocklist; enforce on create/update/test/dispatch #21 /api/perf: fail-closed when CRON_SECRET missing; remove query-string token auth #22 CSP: remove unsafe-eval and unsafe-inline from script-src in production builds #23 Active session registry: forward jti into session object; validate against ActiveSession on every tRPC request #24 Docker: add missing packages/application to Dockerfile.dev; fix pnpm-lock.yaml glob; run db:migrate:deploy on container start so a fresh checkout boots without manual steps Also: fix pre-existing TS error in e2e/allocations.spec.ts (args.length literal type overlap) Co-Authored-By: claude-flow <ruv@ruv.net>
2026-04-01 18:19:21 +02:00
parent fd75628e9d
commit 0e119cfe73
17 changed files with 675 additions and 44 deletions
@@ -0,0 +1,70 @@
+/**
+ * SSRF guard for outbound webhook URLs.
+ *
+ * Validates that a target URL is not pointing to internal/private infrastructure
+ * before allowing a webhook to be stored or dispatched.
+ */
+import { lookup } from "node:dns/promises";
+import { TRPCError } from "@trpc/server";
+
+/** Regex patterns matching IP ranges that must not be targeted. */
+const BLOCKED_IP_PATTERNS: RegExp[] = [
+  // Loopback IPv4
+  /^127\./,
+  // Loopback IPv6
+  /^::1$/,
+  // RFC 1918 private
+  /^10\./,
+  /^172\.(1[6-9]|2\d|3[01])\./,
+  /^192\.168\./,
+  // Link-local
+  /^169\.254\./,
+  // Cloud metadata (AWS, GCP, Azure)
+  /^100\.64\./,
+];
+
+/** Hostnames that must never be resolved or contacted. */
+const BLOCKED_HOSTNAMES = new Set([
+  "localhost",
+  "metadata.google.internal",
+  "169.254.169.254",
+]);
+
+function isBlockedIp(ip: string): boolean {
+  return BLOCKED_IP_PATTERNS.some((re) => re.test(ip));
+}
+
+/**
+ * Throws a TRPCError if the given URL targets internal/private infrastructure.
+ * Performs DNS resolution to catch attempts to bypass hostname checks.
+ */
+export async function assertWebhookUrlAllowed(urlString: string): Promise<void> {
+  let parsed: URL;
+  try {
+    parsed = new URL(urlString);
+  } catch {
+    throw new TRPCError({ code: "BAD_REQUEST", message: "Invalid webhook URL." });
+  }
+
+  if (parsed.protocol !== "https:") {
+    throw new TRPCError({ code: "BAD_REQUEST", message: "Webhook URLs must use HTTPS." });
+  }
+
+  const hostname = parsed.hostname.toLowerCase();
+
+  if (BLOCKED_HOSTNAMES.has(hostname)) {
+    throw new TRPCError({ code: "BAD_REQUEST", message: "Webhook URL target is not allowed." });
+  }
+
+  // Resolve hostname and validate the resulting IP address
+  try {
+    const { address } = await lookup(hostname);
+    if (isBlockedIp(address) || BLOCKED_HOSTNAMES.has(address)) {
+      throw new TRPCError({ code: "BAD_REQUEST", message: "Webhook URL target is not allowed." });
+    }
+  } catch (err) {
+    if (err instanceof TRPCError) throw err;
+    // DNS resolution failed — block by default (fail-closed)
+    throw new TRPCError({ code: "BAD_REQUEST", message: "Webhook URL could not be validated." });
+  }
+}
@@ -9,6 +9,7 @@
 import { createHmac } from "node:crypto";
 import { logger } from "./logger.js";
 import { sendSlackNotification } from "./slack-notify.js";
+import { assertWebhookUrlAllowed } from "./ssrf-guard.js";

 /** Available webhook event types. */
 export const WEBHOOK_EVENTS = [
@@ -85,6 +86,8 @@ async function _sendToWebhook(
  payload: Record<string, unknown>,
 ): Promise<void> {
  try {
+    await assertWebhookUrlAllowed(wh.url);
+
    // Slack-specific path: use the Slack notification helper
    if (wh.url.includes("hooks.slack.com")) {
      const message = formatSlackMessage(event, payload);