fix(security): disable automatic redirects in http_request tool (#624)

Closes #607 The http_request tool validated the initial URL against the domain allowlist and private-host rules, but reqwest's default redirect policy followed redirects automatically without revalidating each hop. This allowed SSRF via redirect chains from allowed domains to internal hosts. Set redirect policy to Policy::none() so 3xx responses are returned as-is. Callers that need to follow redirects must issue a new request, which goes through validate_url again. Severity: High — SSRF/allowlist bypass via redirect chains. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
2026-02-17 12:15:48 -08:00 · 2026-02-17 12:15:48 -08:00 · bbe5530c1a
commit bbe5530c1a
parent 8724884b00
1 changed files with 9 additions and 0 deletions
--- a/src/tools/http_request.rs
+++ b/src/tools/http_request.rs
@ -116,6 +116,7 @@ impl HttpRequestTool {
    ) -> anyhow::Result<reqwest::Response> {
        let client = reqwest::Client::builder()
            .timeout(Duration::from_secs(self.timeout_secs))
+            .redirect(reqwest::redirect::Policy::none())
            .build()?;

        let mut request = client.request(method, url);
@ -799,4 +800,12 @@ mod tests {
            );
        }
    }
+
+    #[test]
+    fn redirect_policy_is_none() {
+        // Structural test: the tool should be buildable with redirect-safe config.
+        // The actual Policy::none() enforcement is in execute_request's client builder.
+        let tool = test_tool(vec!["example.com"]);
+        assert_eq!(tool.name(), "http_request");
+    }
 }