From bbe5530c1a4d1c0f8401a2d5dc60cf6942173117 Mon Sep 17 00:00:00 2001
From: Alex Gorevski <agorevski@users.noreply.github.com>
Date: Tue, 17 Feb 2026 12:15:48 -0800
Subject: [PATCH] fix(security): disable automatic redirects in http_request
 tool (#624)
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Closes #607

The http_request tool validated the initial URL against the domain
allowlist and private-host rules, but reqwest's default redirect policy
followed redirects automatically without revalidating each hop. This
allowed SSRF via redirect chains from allowed domains to internal hosts.

Set redirect policy to Policy::none() so 3xx responses are returned
as-is. Callers that need to follow redirects must issue a new request,
which goes through validate_url again.

Severity: High — SSRF/allowlist bypass via redirect chains.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
---
 src/tools/http_request.rs | 9 +++++++++
 1 file changed, 9 insertions(+)

diff --git a/src/tools/http_request.rs b/src/tools/http_request.rs
index 1d00253..d6f4cac 100644
--- a/src/tools/http_request.rs
+++ b/src/tools/http_request.rs
@@ -116,6 +116,7 @@ impl HttpRequestTool {
     ) -> anyhow::Result<reqwest::Response> {
         let client = reqwest::Client::builder()
             .timeout(Duration::from_secs(self.timeout_secs))
+            .redirect(reqwest::redirect::Policy::none())
             .build()?;
 
         let mut request = client.request(method, url);
@@ -799,4 +800,12 @@ mod tests {
             );
         }
     }
+
+    #[test]
+    fn redirect_policy_is_none() {
+        // Structural test: the tool should be buildable with redirect-safe config.
+        // The actual Policy::none() enforcement is in execute_request's client builder.
+        let tool = test_tool(vec!["example.com"]);
+        assert_eq!(tool.name(), "http_request");
+    }
 }