Fix auth and SSRF vulns#261
Merged
Merged
Conversation
jmecom
force-pushed
the
fix/vuln-report-findings
branch
from
186ae67 to
55abeda
Compare
tlongwell-block
approved these changes
Apr 7, 2026
Collaborator
|
@jmecom Thanks for this PR, is this good to merged now that it's approved? |
Collaborator
Author
Yes! I don't think I can merge though. |
jmecom
force-pushed
the
fix/vuln-report-findings
branch
from
55abeda to
fe17109
Compare
tlongwell-block
added a commit
that referenced
this pull request
Apr 11, 2026
…ona-migration * origin/main: feat(desktop): add Pulse social notes surface (#296) Fix flaky desktop smoke tests (#294) Add agent lifecycle controls to channel members sidebar (#291) Update nest_agents.md tagging info (#292) feat: add Sprout nest — persistent agent workspace at ~/.sprout (#290) Fix auth and SSRF vulns (#261) Add per-agent MCP toolset configuration to agent setup (#279) feat(desktop): team & persona import/edit flows (#288) Remove menu item subtitles and fix persona card overflow (#289) feat: Phase 1 video upload support (Blossom-compliant-ish) (#285) Add inline subtitles to menu items and field descriptions (#276) Improve ephemeral channel affordances and hide archived sidebar rows (#286) Fix @mention search to use word-boundary prefix matching (#278) Allow bot owners to remove their agents from any channel (#284) [codex] Polish agent selectors and settings layout (#283) # Conflicts: # desktop/scripts/check-file-sizes.mjs
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
This PR fixes a set of auth and SSRF weaknesses in the relay and desktop client.
The relay changes close authorization gaps around personal workflows, stop trusting request forwarding headers when verifying NIP-98 token mints, cut off live WebSocket subscriptions immediately after channel membership is revoked, and block IPv6 unspecified addresses in workflow webhook SSRF checks. The desktop changes harden authenticated Tauri request construction so attacker-controlled IDs cannot be interpreted as raw path traversal on the relay origin.
Explanation of vulns
runsandtrigger, so another authenticated user who learned a personal workflow UUID could trigger it and read run history.POST /api/tokensrebuilt the signed NIP-98 URL from request headers, so a captured bootstrap mint request could be replayed to a different relay if that relay trusted attacker-supplied forwarded host/proto values.0.0.0.0but not IPv6 unspecified::, which left a path to target localhost-bound IPv6 services viahttp://[::]:...and read the response back through workflow run history...segments to make authenticated same-origin requests to unintended relay routes.What changed
GET /api/workflows/:id/runsPOST /api/workflows/:id/triggerPOST /api/tokensnow verifies NIP-98 signatures against the configured relay URL instead ofX-Forwarded-*/Host.::/[::]in both shared IP classification and workflow URL validation../..traversal segments before sending same-origin requests.