Skip to content

BUG: Plugin HTTP has no SSRF protection #505

Description

@andrinoff

Describe the bug

plugin/http.go validates URL scheme (only allows http:// and https://) but does not block requests to private/internal IP ranges. A malicious or poorly-written plugin could:

  • Probe the local network (127.0.0.1, 10.x, 192.168.x)
  • Access cloud metadata endpoints (169.254.169.254)
  • Hit internal services on localhost

To reproduce

  1. Install a plugin that calls matcha.http({url = "http://169.254.169.254/latest/meta-data/"})
  2. The request succeeds and returns cloud instance metadata

Expected behavior

Requests to private IP ranges (RFC 1918), loopback (127.0.0.0/8), link-local (169.254.0.0/16), and other non-routable addresses should be blocked by default. Consider using a custom http.Transport with a DialContext that validates the resolved IP before connecting.

OS

All platforms

Metadata

Metadata

Assignees

No one assigned

    Labels

    bugSomething isn't workingneeds-responseWaiting on issue author replystaleNo activity for extended period

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    Status
    Done

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions