fix(ssrf-safety): restore SSRF safety checks and enhance diagnostics …

[Artuomka]

…for URL validation

Summary by CodeRabbit

• Bug Fixes

  • Restored Server-Side Request Forgery (SSRF) protection for HTTP table actions with improved host validation
  • Expanded security controls to block additional reserved and private IP ranges
  • Enhanced DNS resolution logic for more granular address filtering

• Tests

  • Expanded test coverage for SSRF protection validation scenarios

[coderabbitai]

📝 Walkthrough

Walkthrough

The PR upgrades SSRF (Server-Side Request Forgery) protection by refactoring the DNS guard logic to filter resolved IPs and reject only when none are allowed, extends the forbidden hosts blocklist with additional CIDR ranges, validates both single and multi-address behaviors in tests, and integrates the guard into HTTP table actions with Slack diagnostics on failure.

Changes

SSRF Protection Enhancement

Layer / File(s)	Summary
SSRF Guard Core Logic & Forbidden Hosts backend/src/helpers/validators/ssrf-safe-http.ts, backend/src/helpers/constants/constants.ts	ssrfGuardLookup now filters resolved IPs to remove forbidden addresses, returning the allowed list when options.all=true or the first allowed address otherwise; rejection occurs only when the filtered list is empty. Constants.FORBIDDEN_HOSTS adds IPv4 ranges (100.64.0.0/10, 192.0.0.0/24, 198.18.0.0/15) and IPv6 unspecified (::/128).
SSRF Guard Test Coverage backend/test/ava-tests/unit-tests/ssrf-safe-http.test.ts	Adds lookupAll helper to test multi-address mode (options.all=true). Expands forbidden hosts validation loop with additional reserved/bogon ranges. New tests verify all mode returns an array for public IPs and rejects when all resolved addresses are forbidden.
HTTP Action Service Integration backend/src/entities/table-actions/table-actions-module/table-action-activation.service.ts	Re-enables getSsrfSafeRequestConfig() in axios POST options. Adds error handling to detect SSRF guard failures, extract the target host, and send a diagnostic Slack message to the exceptions channel; non-SSRF errors continue through existing flow.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

Possibly related PRs

• rocket-admin/rocketadmin#1830: Modifies the same activateTableAction call and SSRF guard configuration in table-action-activation.service.ts.
• rocket-admin/rocketadmin#1826: Introduces the initial SSRF guard filtering logic and test structure that this PR extends with multi-address support and service integration.

Poem

🐰 A rabbit hops through networks secure,
Where dangerous hosts are blocked for sure.
IPs are filtered, allowed ones stay—
No SSRF mischief today!
With Slack alerts when guards defend,
Safe table actions 'til the end. 🛡️

🚥 Pre-merge checks | ✅ 5 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately reflects the main changes: restoring SSRF safety checks (by re-enabling getSsrfSafeRequestConfig) and enhancing diagnostics (by adding Slack notifications for blocked hosts).
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Security Check	✅ Passed	PR restores SSRF safety with DNS lookup guards, RFC-compliant forbidden hosts list, IPv6 normalization, split-horizon DNS support, timeouts, redirect prevention, and safe error logging.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

📝 Generate docstrings

• Create stacked PR
• Commit on current branch

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch backend_bug_fixes

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[Copilot]

Pull request overview

This PR restores and strengthens SSRF protections around outbound HTTP requests by improving DNS resolution handling, expanding the set of forbidden IP ranges, re-enabling SSRF-safe Axios configuration for table actions, and adding/expanding unit test coverage for the SSRF guard behavior.

Changes:

• Updated ssrfGuardLookup to filter out forbidden DNS results (instead of rejecting hosts with any forbidden record) and to support all=true so Node can fall back across allowed addresses.
• Expanded forbidden network ranges (CGNAT, benchmarking, IETF protocol assignments, and IPv6 unspecified address) and updated unit tests accordingly.
• Re-enabled SSRF-safe request configuration for table action HTTP activations and added temporary Slack diagnostics for SSRF guard rejections.

Reviewed changes

Copilot reviewed 4 out of 4 changed files in this pull request and generated 1 comment.

File	Description
backend/test/ava-tests/unit-tests/ssrf-safe-http.test.ts	Adds coverage for additional forbidden ranges and all=true behavior (including the “all resolved addresses forbidden” case).
backend/src/helpers/validators/ssrf-safe-http.ts	Filters forbidden DNS answers, returns all allowed answers when requested, and improves failure messaging when no allowed addresses remain.
backend/src/helpers/constants/constants.ts	Expands FORBIDDEN_HOSTS with additional special-purpose/non-routable ranges and ::/128.
backend/src/entities/table-actions/table-actions-module/table-action-activation.service.ts	Re-enables SSRF-safe Axios config for action webhooks and adds temporary Slack diagnostics for SSRF guard blocks.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[coderabbitai]

🧹 Nitpick comments (1)

backend/src/entities/table-actions/table-actions-module/table-action-activation.service.ts (1)

230-245: 💤 Low value

Variable shadowing reduces readability.

errorMessage is declared at line 230 for the SSRF check, then again at line 245 inside the Axios error block. While this works correctly, the shadowing can cause confusion during maintenance.

Consider renaming the first one:

♻️ Suggested rename

-			const errorMessage = error instanceof Error ? error.message : String(error);
-			if (errorMessage.includes('SSRF guard')) {
+			const errorText = error instanceof Error ? error.message : String(error);
+			if (errorText.includes('SSRF guard')) {

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In
`@backend/src/entities/table-actions/table-actions-module/table-action-activation.service.ts`
around lines 230 - 245, The code shadows the variable errorMessage (declared
before the SSRF check and re-declared inside the axios error branch), which
reduces readability; rename one of them (e.g., rename the first errorMessage
used for the SSRF guard to ssrfErrorMessage or rename the axios block's
errorMessage to axiosErrorMessage) and update its usages (the SSRF host
construction and slackPostMessage call or the axios.isAxiosError branch) so
there is a single clear, non-shadowing identifier per scope (refer to error
handling around the SSRF check, slackPostMessage, axios.isAxiosError, and
tableAction.url).

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Nitpick comments:
In
`@backend/src/entities/table-actions/table-actions-module/table-action-activation.service.ts`:
- Around line 230-245: The code shadows the variable errorMessage (declared
before the SSRF check and re-declared inside the axios error branch), which
reduces readability; rename one of them (e.g., rename the first errorMessage
used for the SSRF guard to ssrfErrorMessage or rename the axios block's
errorMessage to axiosErrorMessage) and update its usages (the SSRF host
construction and slackPostMessage call or the axios.isAxiosError branch) so
there is a single clear, non-shadowing identifier per scope (refer to error
handling around the SSRF check, slackPostMessage, axios.isAxiosError, and
tableAction.url).

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 6f04e933-f797-4f62-b80c-a5f90b5f2220

📥 Commits

Reviewing files that changed from the base of the PR and between 890feb0 and 72fd830.

📒 Files selected for processing (4)

• backend/src/entities/table-actions/table-actions-module/table-action-activation.service.ts
• backend/src/helpers/constants/constants.ts
• backend/src/helpers/validators/ssrf-safe-http.ts
• backend/test/ava-tests/unit-tests/ssrf-safe-http.test.ts