Skip to content

[API] Validate agent endpoint URL format and block internal targets#5083

Closed
xyjk0511 wants to merge 1 commit into
ClankerNation:mainfrom
xyjk0511:c53d-187-endpoint-url-validate-v2
Closed

[API] Validate agent endpoint URL format and block internal targets#5083
xyjk0511 wants to merge 1 commit into
ClankerNation:mainfrom
xyjk0511:c53d-187-endpoint-url-validate-v2

Conversation

@xyjk0511
Copy link
Copy Markdown

@xyjk0511 xyjk0511 commented May 31, 2026

Summary

  • validate agent endpoint format (http/https URL required)
  • block private/internal targets (private/loopback/link-local/reserved/multicast, localhost, and DNS-resolved internal IPs)
  • verify reachability with HEAD request (5s timeout) before persisting
  • store the validated endpoint in agent config
  • add focused tests for valid URL, invalid format, private IP, timeout, and persistence path

Testing

  • PYTEST_DISABLE_PLUGIN_AUTOLOAD=1 python -m pytest -q api/tests/test_agents_endpoint_validation.py

Closes #187
/claim #187

Prevent invalid and internal agent endpoints from entering agent config
a0e5b57 
Constraint: Issue ClankerNation#187 requires endpoint URL validation with SSRF guardrails and bounded reachability checks.
Rejected: Full URL validation middleware | touches broader API surface beyond minimal issue scope.
Confidence: high
Scope-risk: narrow
Directive: Keep endpoint verification bounded to this route unless API-wide contract is explicitly requested.
Tested: PYTEST_DISABLE_PLUGIN_AUTOLOAD=1 python -m pytest -q api/tests/test_agents_endpoint_validation.py
Not-tested: Full API integration through running FastAPI server
@xyjk0511 xyjk0511 force-pushed the c53d-187-endpoint-url-validate-v2 branch from be0fd0a to a0e5b57 Compare May 31, 2026 05:32
@github-actions
Copy link
Copy Markdown

github-actions Bot commented May 31, 2026

Unfortunately the changes in this PR didn't fully resolve the issue. Please rework your solution and submit a new pull request within 2 hours.

Make sure to review the acceptance criteria in the linked issue and verify all conditions are met before resubmitting.

@github-actions github-actions Bot closed this May 31, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

bounty-claim $7k

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

[ Bounty $7k ] [ API ] Fix agents.py doesn't validate endpoint URL format — urgent

1 participant

@xyjk0511