Security review: Fix SSRF vulnerability and non-security bugs in CIMD executor#1477
Draft
Copilot wants to merge 3 commits intoISSUE-45284from
Draft
Security review: Fix SSRF vulnerability and non-security bugs in CIMD executor#1477Copilot wants to merge 3 commits intoISSUE-45284from
Copilot wants to merge 3 commits intoISSUE-45284from
Conversation
Non-security fixes: - Fix swapped CREATE/UPDATE comments in process() - Fix unused paContext variable in ClientIdUriSchemeCondition - Fix incorrect max cache time comment (259200s = 3 days, not 30 days) - Fix HTTP 307 -> 304 Not Modified in javadoc - Fix misleading regex documentation (code uses wildcard matching) - Fix typo mandagory -> mandatory Security fixes: - Add SSRF protection: verifyNotInternalAddress() blocks loopback, private (site-local), link-local, and wildcard addresses - SSRF check is enforced when allowHttpScheme is false (production) - SSRF check is skipped when allowHttpScheme is true (dev only) - Add ERR_SSRF_BLOCKED error constant - Update tests to use allowHttpScheme=true for dev/test scenarios Co-authored-by: tnorimat <25092005+tnorimat@users.noreply.github.com>
Co-authored-by: tnorimat <25092005+tnorimat@users.noreply.github.com>
Copilot
AI
changed the title
[WIP] Review issue 45284 for bugs and security improvements
Security review: Fix SSRF vulnerability and non-security bugs in CIMD executor
Feb 28, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Security review of the CIMD (Client ID Metadata Document) feature on branch ISSUE-45284. Found missing SSRF protection in
verifyUri()and six non-security bugs.Description
SSRF Vulnerability (Critical)
The code comments claim loopback/private IP checks exist, but
verifyUri()only validates trusted domain names — no DNS resolution check. An attacker with a trusted domain resolving to an internal IP (DNS rebinding) could trigger server-side requests to internal services viafetchClientMetadata().Fix: Added
verifyNotInternalAddress()which resolves hostnames and blocks loopback (127.0.0.0/8,::1), private/site-local (10.0.0.0/8,172.16.0.0/12,192.168.0.0/16), link-local (169.254.0.0/16,fe80::/10), and wildcard addresses. Gated byallowHttpSchemeconfig — enforced in production (default), skipped in dev mode. Gracefully handlesUnknownHostException(no SSRF risk if fetch also fails).Non-Security Bug Fixes
process(): CREATE/UPDATE labels were reversed oncreateClientMetadata/updateClientMetadatacallspaContextassigned thencontextre-cast on next line inClientIdUriSchemeConditioncheckTrustedDomain()uses*.wildcard matchingTest Updates
Added
setAllowHttpScheme(true)to all test executor configs that uselocalhostfor the full CIMD flow, sincelocalhostresolves to a loopback address now blocked by SSRF protection.Warning
Firewall rules blocked me from connecting to one or more addresses (expand for details)
I tried to connect to the following addresses, but was blocked by firewall rules:
repo.gradle.org/usr/lib/jvm/temurin-17-jdk-amd64/bin/java /usr/lib/jvm/temurin-17-jdk-amd64/bin/java --enable-native-access=ALL-UNNAMED -classpath /usr/share/apache-maven-3.9.12/boot/plexus-classworlds-2.9.0.jar -Dclassworlds.conf=/usr/share/apache-maven-3.9.12/bin/m2.conf -Dmaven.home=/usr/share/apache-maven-3.9.12 -Dlibrary.jansi.path=/usr/share/apache-maven-3.9.12/lib/jansi-native -Dmaven.multiModuleProjectDirectory=/home/REDACTED/work/keycloak/keycloak org.codehaus.plexus.classworlds.launcher.Launcher compile -pl services -nsu -q(dns block)repository.jboss.org/usr/lib/jvm/temurin-17-jdk-amd64/bin/java /usr/lib/jvm/temurin-17-jdk-amd64/bin/java --enable-native-access=ALL-UNNAMED -classpath /usr/share/apache-maven-3.9.12/boot/plexus-classworlds-2.9.0.jar -Dclassworlds.conf=/usr/share/apache-maven-3.9.12/bin/m2.conf -Dmaven.home=/usr/share/apache-maven-3.9.12 -Dlibrary.jansi.path=/usr/share/apache-maven-3.9.12/lib/jansi-native -Dmaven.multiModuleProjectDirectory=/home/REDACTED/work/keycloak/keycloak org.codehaus.plexus.classworlds.launcher.Launcher compile -pl services -nsu -q(dns block)/usr/lib/jvm/temurin-17-jdk-amd64/bin/java /usr/lib/jvm/temurin-17-jdk-amd64/bin/java --enable-native-access=ALL-UNNAMED -classpath /usr/share/apache-maven-3.9.12/boot/plexus-classworlds-2.9.0.jar -Dclassworlds.conf=/usr/share/apache-maven-3.9.12/bin/m2.conf -Dmaven.home=/usr/share/apache-maven-3.9.12 -Dlibrary.jansi.path=/usr/share/apache-maven-3.9.12/lib/jansi-native -Dmaven.multiModuleProjectDirectory=/home/REDACTED/work/keycloak/keycloak org.codehaus.plexus.classworlds.launcher.Launcher install -DskipTests -nsu -q(dns block)/usr/lib/jvm/temurin-17-jdk-amd64/bin/java /usr/lib/jvm/temurin-17-jdk-amd64/bin/java --enable-native-access=ALL-UNNAMED -classpath /usr/share/apache-maven-3.9.12/boot/plexus-classworlds-2.9.0.jar -Dclassworlds.conf=/usr/share/apache-maven-3.9.12/bin/m2.conf -Dmaven.home=/usr/share/apache-maven-3.9.12 -Dlibrary.jansi.path=/usr/share/apache-maven-3.9.12/lib/jansi-native -Dmaven.multiModuleProjectDirectory=/home/REDACTED/work/keycloak/keycloak org.codehaus.plexus.classworlds.launcher.Launcher dependency:tree -Dverbose(dns block)If you need me to access, download, or install something from one of these locations, you can either:
💬 We'd love your input! Share your thoughts on Copilot coding agent in our 2 minute survey.