Expand description
SSRF and header-injection guard for customer-supplied provider URLs.
§URL guard
validate_provider_url checks a customer-controlled base_url before any
HTTP request is dispatched. It enforces:
- Scheme must be
https(orhttpwhenallow_localis true). - The host must not be a private/loopback/link-local/ULA IP address, the
cloud-metadata addresses (169.254.169.254, 100.100.100.200), or the
hostname
localhost,*.local, ormetadata.google.internal. - When
allow_localistrue(self-hosted /localprovider), all of the above checks are bypassed — only basic URL parsing is performed. - A best-effort DNS resolution step rejects the URL if any resolved address falls in a private range.
§DNS rebind caveat
The DNS resolution step is defense-in-depth only. It is subject to TOCTOU races: a malicious DNS server can return a safe address for the validation call and a private address for the actual HTTP connection (classic DNS-rebinding attack). The connect-time enforcement (binding to a local policy agent or using a kernel eBPF hook) is out of scope here. Operators concerned about DNS rebinding should additionally run the gateway behind a network policy that blocks outbound connections to RFC-1918 ranges.
§Header filter
filter_extra_headers strips any header whose name could override the
adapter-set auth (authorization, x-api-key, anthropic-version,
content-type) or the routing (host) headers, or inject hop-by-hop
headers that must not be forwarded to upstream HTTP/1.1 servers.
Enums§
Functions§
- filter_
extra_ headers - Filter
extra_headers, dropping any header whose name is in the denylist. - find_
denied_ header - Check whether any header in
extra_headersis on the denylist. - validate_
provider_ url - Validate a customer-supplied provider base URL.