Hermes Bot ba6f34488e
fix(onboarding,probe): refuse HTTP redirects on probe path (reviewer-flagged on PR #1501 ) ...
SSRF defense-in-depth: `urllib.request.urlopen` follows redirects by default,
so a probe at `http://example.com/v1/models ` could be redirected to
`http://internal-service:8080/admin ` — surfacing internal HTTP services to
the authenticated user. The probe is already gated behind WebUI auth and the
local-network check, so the practical attack surface is 'authenticated user
enumerating internal services' (same as `curl` from their browser DevTools).
Tightening the redirect default is cheap insurance.
Implementation:
- New module-level `_NoRedirectHandler` (subclasses `urllib.request.HTTPRedirectHandler`,
overrides `redirect_request` to return None — urllib then raises `HTTPError(3xx)`
rather than following).
- New module-level `_PROBE_OPENER = urllib.request.build_opener(_NoRedirectHandler())`.
- `probe_provider_endpoint` switches from `urlopen(req, …)` to `_PROBE_OPENER.open(req, …)`.
- The existing `HTTPError` handler now categorizes 3xx as `unreachable` with a
detail string mentioning 'redirect' so the user understands what happened.
3xx does NOT get its own error code in `PROBE_ERROR_CODES` — the error
taxonomy contract stays the same shape (frontend i18n unchanged).
Added regression test `test_probe_does_not_follow_redirects` in
`tests/test_issue1499_onboarding_probe.py`. Spins up a tiny HTTP server that
302-redirects `/v1/models` to `/different-endpoint` (which would return
`{'data': [{'id': 'should-not-see'}]}` if followed). Asserts the probe
returns `{ok: False, error: 'unreachable', status: 302, detail: …'redirect'…}`
and that the 'should-not-see' string never appears in the result.
Mutation-verified: reverting `_PROBE_OPENER.open` back to `urlopen` causes
the test to fail with "Probe followed a redirect — should have refused".
Suite delta: 3917 → 3918 passing (+1).
Reviewer-flagged in PR #1501 . Per the
'reviewer-flagged-fix-in-release-not-followup' policy: <20 LOC defensive
fix, regression test path obvious, ship in this release rather than punting.
2026-05-03 03:21:22 +00:00
2026-03-30 20:40:19 -07:00
2026-04-21 02:25:14 +00:00
2026-05-02 19:32:21 +00:00
2026-05-01 15:54:27 +00:00
2026-05-01 17:14:51 +00:00
2026-04-25 23:08:59 -07:00
2026-04-25 21:06:31 -07:00
2026-04-23 12:15:56 -07:00
2026-04-29 19:54:07 -07:00
2026-04-30 22:48:20 +00:00
2026-04-29 21:34:27 -07:00
2026-04-25 15:47:44 -07:00
2026-05-03 01:53:01 +08:00
2026-04-25 17:50:58 -07:00
2026-04-25 17:50:58 -07:00
2026-04-29 04:31:55 +00:00
2026-05-02 02:50:40 +00:00
2026-04-30 16:18:02 +00:00
2026-05-02 00:52:41 +00:00
2026-05-03 01:53:01 +08:00
2026-05-03 08:46:36 +08:00
2026-04-27 11:43:32 -07:00
2026-04-29 04:37:31 +00:00
2026-04-30 18:45:15 +00:00
2026-04-30 18:45:15 +00:00
2026-04-14 19:04:48 +00:00
2026-04-25 17:50:58 -07:00
2026-04-09 18:05:23 -07:00
2026-04-27 13:34:59 -07:00
2026-04-24 01:32:47 +00:00
2026-04-29 19:54:07 -07:00
2026-04-25 23:08:59 -07:00
2026-04-20 20:55:53 -07:00
2026-05-02 19:35:42 +00:00
2026-05-02 19:45:54 +00:00
2026-04-25 14:33:41 -07:00
2026-04-23 09:58:15 -07:00
2026-04-29 19:54:07 -07:00
2026-04-20 23:54:40 +00:00
2026-04-30 15:24:31 +00:00
2026-04-30 21:32:51 +00:00
2026-04-29 04:32:40 +00:00
2026-05-01 04:46:30 +00:00
2026-04-21 22:55:09 -07:00
2026-04-25 21:35:51 -07:00
2026-04-19 05:37:44 +00:00
2026-04-22 20:18:02 +00:00
2026-04-30 23:15:31 +00:00
2026-04-26 21:04:38 -07:00
2026-04-24 09:05:25 -07:00
2026-04-30 15:24:30 +00:00
2026-04-25 15:47:44 -07:00
2026-05-02 02:50:40 +00:00
2026-05-01 18:30:41 +00:00
2026-04-29 04:31:16 +00:00
2026-04-26 21:04:38 -07:00
2026-04-29 16:45:26 +08:00
2026-04-27 16:44:07 -07:00
2026-05-02 02:50:40 +00:00
2026-05-02 03:42:58 +00:00
2026-04-21 23:39:39 -07:00
2026-04-30 23:04:49 +00:00
2026-05-02 04:19:28 +00:00
2026-05-02 22:29:14 +08:00
2026-04-18 06:37:09 +00:00
2026-04-29 04:39:50 +00:00
2026-04-30 16:18:01 +00:00
2026-04-20 21:03:41 -07:00
2026-04-24 11:41:17 -07:00
2026-04-27 22:56:12 -07:00
2026-04-14 21:14:00 +00:00
2026-04-14 21:14:33 +00:00
2026-05-02 02:50:40 +00:00
2026-04-29 04:34:26 +00:00
2026-04-14 21:52:34 +00:00
2026-04-16 00:00:22 +00:00
2026-04-29 04:33:24 +00:00
2026-04-29 04:34:55 +00:00
2026-04-20 19:43:40 +00:00
2026-04-16 20:16:07 -07:00
2026-04-25 15:47:44 -07:00
2026-04-25 14:33:41 -07:00
2026-04-29 15:50:32 +08:00
2026-04-18 06:45:39 +00:00
2026-04-16 18:09:16 -07:00
2026-04-24 09:05:25 -07:00
2026-04-21 15:26:52 -07:00
2026-04-25 13:07:35 -07:00
2026-04-25 14:33:41 -07:00
2026-04-18 06:46:43 +00:00
2026-04-20 23:04:09 +00:00
2026-04-20 19:43:40 +00:00
2026-04-18 17:09:59 +00:00
2026-04-20 22:48:19 +00:00
2026-04-19 23:11:49 -07:00
2026-04-30 16:20:05 +00:00
2026-04-21 00:58:02 +00:00
2026-04-27 16:27:03 -07:00
2026-04-30 23:43:23 +00:00
2026-04-22 16:27:01 +00:00
2026-04-21 23:08:24 -07:00
2026-04-22 20:21:42 +00:00
2026-04-23 09:58:15 -07:00
2026-04-29 04:31:14 +00:00
2026-04-29 04:31:14 +00:00
2026-05-01 15:54:27 +00:00
2026-05-03 01:44:38 +08:00
2026-04-23 11:16:59 -07:00
2026-04-23 10:44:10 -07:00
2026-04-26 18:47:38 -07:00
2026-04-25 13:07:35 -07:00
2026-04-26 14:24:20 -07:00
2026-04-29 17:42:32 -07:00
2026-04-30 15:24:32 +00:00
2026-04-26 15:29:02 -07:00
2026-04-26 14:24:20 -07:00
2026-05-01 19:52:05 +08:00
2026-04-26 10:36:59 -07:00
2026-05-01 18:30:41 +00:00
2026-04-26 15:29:02 -07:00
2026-04-26 15:29:02 -07:00
2026-04-26 15:29:02 -07:00
2026-04-29 19:54:07 -07:00
2026-04-27 13:34:59 -07:00
2026-04-29 04:31:36 +00:00
2026-04-27 17:43:36 -07:00
2026-04-27 15:28:19 -07:00
2026-04-27 18:40:13 -07:00
2026-04-27 18:40:13 -07:00
2026-05-01 05:35:24 +00:00
2026-04-27 22:56:12 -07:00
2026-04-29 16:37:08 +08:00
2026-04-30 15:24:35 +00:00
2026-04-30 16:28:20 +00:00
2026-05-01 04:46:12 +00:00
2026-04-30 23:43:23 +00:00
2026-05-01 05:29:42 +00:00
2026-05-01 17:57:34 +00:00
2026-05-03 02:46:24 +00:00
2026-05-02 00:21:15 +00:00
2026-05-02 01:43:00 +00:00
2026-05-02 02:30:20 +00:00
2026-05-02 04:19:28 +00:00
2026-05-02 04:19:28 +00:00
2026-05-02 04:19:28 +00:00
2026-05-02 22:16:23 +00:00
2026-05-03 01:15:26 +00:00
2026-05-03 03:07:07 +00:00
2026-05-03 03:21:22 +00:00
2026-05-03 02:46:24 +00:00
2026-04-27 17:43:36 -07:00
2026-04-20 22:48:19 +00:00
2026-04-26 21:04:38 -07:00
2026-04-23 14:41:06 -07:00
2026-05-02 02:44:59 +00:00
2026-05-01 22:55:46 +08:00
2026-04-14 17:14:01 +00:00
2026-05-01 04:46:15 +00:00
2026-05-02 04:19:28 +00:00
2026-04-19 06:47:24 +00:00
2026-04-29 19:54:07 -07:00
2026-04-29 15:50:32 +08:00
2026-05-02 00:52:41 +00:00
2026-04-29 19:54:07 -07:00
2026-04-30 23:45:46 -06:00
2026-04-29 15:50:32 +08:00
2026-04-29 04:33:29 +00:00
2026-04-29 17:01:01 +08:00
2026-05-02 17:03:25 +00:00
2026-04-22 22:56:21 -07:00
2026-04-22 20:18:02 +00:00
2026-04-26 21:04:38 -07:00
2026-04-14 19:04:48 +00:00
2026-04-14 19:04:48 +00:00
2026-04-30 16:18:01 +00:00
2026-04-29 17:42:32 -07:00
2026-04-15 16:57:31 +00:00
2026-04-29 04:30:55 +00:00
2026-04-29 17:42:32 -07:00
2026-04-30 10:27:56 -07:00
2026-04-30 16:20:05 +00:00
2026-04-30 10:27:56 -07:00
2026-04-30 18:34:37 +00:00
2026-04-30 18:45:15 +00:00
2026-04-30 14:39:37 -07:00
2026-04-30 22:27:40 +00:00
2026-05-02 12:09:36 +08:00
2026-04-30 23:43:23 +00:00
2026-05-02 02:56:48 +00:00
2026-05-02 03:49:40 +00:00
2026-04-21 19:14:31 -07:00
2026-04-23 02:09:37 +00:00
2026-04-23 02:09:37 +00:00
2026-04-27 21:39:30 -07:00
2026-04-27 22:56:12 -07:00
2026-04-29 17:42:32 -07:00
2026-04-25 23:28:29 -07:00
2026-05-01 17:14:51 +00:00
2026-05-02 02:11:41 +08:00
2026-04-24 10:44:46 -07:00
2026-05-03 01:29:41 +00:00
2026-04-26 21:04:38 -07:00
2026-04-21 16:26:51 +00:00
2026-04-25 19:21:00 -07:00
2026-04-25 21:06:31 -07:00
2026-04-25 21:06:31 -07:00
2026-04-21 15:26:52 -07:00
2026-04-29 17:42:32 -07:00
2026-04-25 21:06:31 -07:00
2026-04-30 16:18:01 +00:00
2026-04-25 17:50:58 -07:00
2026-05-02 02:11:41 +08:00
2026-04-30 16:18:01 +00:00
2026-05-02 23:05:55 +08:00
2026-05-01 19:52:05 +08:00
2026-05-02 17:54:58 +00:00
2026-05-01 04:48:24 +00:00
2026-04-25 13:07:35 -07:00
2026-05-02 12:09:36 +08:00
2026-05-02 12:09:36 +08:00
2026-04-25 13:07:35 -07:00
2026-05-01 04:46:37 +00:00
2026-04-27 13:34:59 -07:00
2026-05-02 10:35:40 +08:00
2026-04-21 22:11:32 -07:00
2026-04-25 17:50:58 -07:00
2026-04-29 04:31:37 +00:00
2026-04-14 19:04:48 +00:00
2026-04-24 09:05:25 -07:00
2026-04-29 21:34:27 -07:00
2026-04-29 17:42:32 -07:00
2026-04-29 17:42:32 -07:00
2026-04-11 20:06:37 -07:00
2026-04-14 19:04:48 +00:00
2026-04-14 19:04:48 +00:00
2026-04-27 21:39:30 -07:00
2026-04-14 19:04:48 +00:00
2026-04-23 02:35:58 +00:00
2026-04-24 09:05:25 -07:00
2026-04-14 19:04:48 +00:00
2026-04-14 19:04:48 +00:00
2026-04-30 16:18:01 +00:00
2026-04-29 21:06:30 -07:00
2026-04-18 06:46:43 +00:00
2026-04-23 10:44:10 -07:00
2026-04-14 19:04:48 +00:00
2026-04-14 19:04:48 +00:00
2026-04-14 19:04:48 +00:00
2026-05-02 04:19:28 +00:00
2026-04-14 19:04:48 +00:00
2026-04-14 19:04:48 +00:00
2026-04-29 04:31:54 +00:00
2026-04-29 04:31:54 +00:00
2026-04-14 19:04:48 +00:00
2026-04-18 06:37:09 +00:00
2026-04-14 19:04:48 +00:00
2026-04-14 19:04:48 +00:00
2026-04-14 19:04:48 +00:00
2026-04-29 04:32:52 +00:00
2026-04-29 04:31:12 +00:00
2026-04-22 20:49:28 +00:00
2026-04-11 12:19:12 -07:00
2026-04-24 09:05:25 -07:00
2026-04-12 10:51:48 -07:00
2026-04-29 04:31:55 +00:00
2026-04-27 16:27:03 -07:00
2026-04-18 06:45:39 +00:00
2026-04-16 10:19:10 -07:00
2026-04-22 16:27:01 +00:00
2026-04-12 14:28:16 -07:00
2026-04-23 14:25:43 -07:00
2026-04-29 16:46:32 +08:00
2026-04-13 11:11:56 -07:00
2026-04-13 23:25:26 -07:00
2026-04-14 19:04:48 +00:00
2026-04-19 04:29:07 +00:00
2026-04-19 05:37:44 +00:00
2026-04-24 11:04:16 -07:00
2026-04-29 17:42:32 -07:00
2026-04-19 23:17:00 -07:00
2026-04-20 23:54:40 +00:00
2026-05-02 17:54:58 +00:00
2026-04-29 21:34:27 -07:00
2026-04-24 11:04:32 -07:00
2026-04-21 18:47:40 -07:00
2026-04-30 15:24:33 +00:00
2026-05-02 02:50:40 +00:00
2026-04-27 13:34:59 -07:00
2026-04-29 04:31:36 +00:00
2026-04-23 09:45:34 -07:00
2026-04-09 18:08:29 -07:00
2026-04-16 14:04:42 -07:00
2026-04-21 00:33:03 +00:00
2026-04-29 17:42:32 -07:00
2026-04-29 19:59:26 -07:00
2026-04-25 14:33:41 -07:00
2026-04-10 10:02:28 -07:00
2026-04-12 00:19:33 -07:00
2026-05-01 06:53:32 +00:00
2026-05-01 16:25:04 +00:00
2026-05-01 17:19:53 +00:00
2026-05-01 18:36:24 +00:00
2026-05-01 21:30:10 +00:00
2026-05-01 22:45:18 +00:00
2026-05-01 23:10:52 +00:00
2026-04-20 20:36:53 -07:00
2026-04-13 22:11:45 -07:00
2026-04-24 11:03:42 -07:00
2026-04-27 17:43:36 -07:00
2026-04-27 21:39:30 -07:00
2026-04-27 18:40:13 -07:00
2026-04-27 17:43:36 -07:00
2026-04-26 10:36:59 -07:00
Hermes Bot
ba6f34488e