Fix: Fix DNS Rebinding/TOCTOU Vulernability

[christopherholland-workday]

Overview

Part of advisory https://github.com/FlowiseAI/Flowise/security/advisories/GHSA-2x8m-83vc-6wv4

This PR fixes multiple SSRF bypass issues in the HTTP security wrappers by eliminating DNS rebinding (TOCTOU) vulnerabilities and enforcing deny-list validation at request time.

The changes ensure that every outbound HTTP request uses a DNS-pinned connection that matches the validated IP, including across redirects, and that insecure default behavior is removed.

Solution

1. Default insecure configuration

Previously, if HTTP_DENY_LIST was unset, requests were allowed without restriction, including access to localhost and private IP ranges.

Fix:
Requests now fail fast when HTTP_DENY_LIST is not defined, ensuring SSRF protections are always enforced.

DNS rebinding (TOCTOU) vulnerability

The previous implementation validated hostnames using dns.lookup, but the HTTP client would perform a second DNS resolution when opening the socket. This allowed attackers to return a safe IP during validation and switch to a blocked IP during connection. This seemed to be the case for both the secureFetch and secureAxiosRequest methods.

Callers of these methods, like utils#crawl should be protected via strengthening of these methods

Fix:
DNS resolution and validation now occur immediately before each request, and the resolved IP is pinned into the socket using a custom http.Agent / https.Agent. This guarantees the request connects to the same IP that was validated.

Redirect safety

Redirects were previously followed automatically by the HTTP client, allowing bypass of validation on redirected URLs.

Fix:
Automatic redirects are disabled. Each redirect target is:

• explicitly resolved,
• validated against the deny list,
• and connected using a newly pinned agent.

Redirect method rewriting (e.g. POST → GET on 303) follows HTTP specifications.

node-fetch agent handling

When using node-fetch@2.x, passing an Agent instance directly may not guarantee it is used, potentially allowing DNS re-resolution.

Fix:
The agent is now passed as a function (agent: () => agent), which node-fetch v2 reliably invokes, ensuring the pinned agent is always used.

[gemini-code-assist]

Summary of Changes

Hello @christopherholland-workday, I'm Gemini Code Assist¹! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!

This pull request addresses critical Server-Side Request Forgery (SSRF) bypass vulnerabilities by implementing robust security measures for outbound HTTP requests. It focuses on eliminating DNS rebinding (TOCTOU) issues, enforcing deny-list validation at the point of connection, and securing redirect handling. The changes ensure that all requests utilize DNS-pinned connections that match validated IP addresses, thereby removing insecure default behaviors and significantly strengthening the application's defense against network-based attacks.

Highlights

• Enforced Deny List Configuration: Requests now explicitly fail if the "HTTP_DENY_LIST" environment variable is not defined, ensuring that Server-Side Request Forgery (SSRF) protections are always active and preventing unrestricted access to local and private networks.
• DNS Rebinding (TOCTOU) Prevention: The system now performs DNS resolution and validation immediately before each HTTP request, pinning the resolved IP address to the socket using custom "http.Agent" or "https.Agent" instances. This eliminates the time-of-check-to-time-of-use (TOCTOU) vulnerability where an attacker could switch IPs between validation and connection.
• Enhanced Redirect Handling: Automatic redirects are disabled for both "axios" and "node-fetch" requests. Each redirect target is now manually resolved, validated against the deny list, and connected using a newly pinned agent, preventing bypasses through redirect chains. HTTP specification-compliant method rewriting (e.g., POST to GET on 303) is also implemented.
• Reliable node-fetch Agent Usage: For "node-fetch" v2, the custom agent is now passed as a function ("agent: () => agent") to ensure it is reliably invoked and used, guaranteeing that the pinned agent is always applied and preventing unintended DNS re-resolution.

Using Gemini Code Assist

The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.

Invoking Gemini

You can request assistance from Gemini at any point by creating a comment using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands on the current page.

Feature	Command	Description
Code Review	/gemini review	Performs a code review for the current pull request in its current state.
Pull Request Summary	/gemini summary	Provides a summary of the current pull request in its current state.
Comment	@gemini-code-assist	Responds in comments when explicitly tagged, both in pull request comments and review comments.
Help	/gemini help	Displays a list of available commands.

Customization

To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.

Limitations & Feedback

Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for Github and other Google products, sign up here.

You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension.

Footnotes

1. Review the Privacy Notices, Generative AI Prohibited Use Policy, Terms of Service, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution. ↩

[gemini-code-assist]

Code Review

This pull request effectively addresses a critical DNS Rebinding (TOCTOU) vulnerability in secureAxiosRequest and secureFetch by implementing DNS pinning. The changes ensure that outbound requests connect to the same IP that was validated, even across redirects. I also appreciate the move to a secure-by-default configuration that requires HTTP_DENY_LIST to be set. The code is much cleaner and more secure. I have a few minor suggestions to improve code consistency and clarity.