Skip to content

fix(#5452): add optional ssrf check mechanism#5464

Open
SteKoe wants to merge 2 commits into
masterfrom
chore/5452-ssrf-check
Open

fix(#5452): add optional ssrf check mechanism#5464
SteKoe wants to merge 2 commits into
masterfrom
chore/5452-ssrf-check

Conversation

@SteKoe

@SteKoe SteKoe commented Jun 19, 2026
edited
Loading

Copy link
Copy Markdown
Contributor

This pull request introduces opt-in SSRF (Server-Side Request Forgery) protection to Spring Boot Admin Server, providing robust safeguards against attacks via the instance registration API. The feature is disabled by default to preserve compatibility, but can be enabled and configured to block registration of instances pointing to internal/private addresses or disallowed URL schemes. The protection is enforced both at registration and on each proxied request. The documentation has been updated to explain the risks, configuration options, and extension points.

Security: SSRF Protection

  • Added a new SSRF protection feature to block registration and proxying of instances using private/internal IPs, disallowed schemes, or custom blocked host patterns. Protection is opt-in and configurable via AdminServerProperties.SsrfProtectionProperties (spring-boot-admin-server/src/main/java/de/codecentric/boot/admin/server/config/AdminServerProperties.java, spring-boot-admin-server/src/main/java/de/codecentric/boot/admin/server/utils/SsrfUrlValidator.java). [1] [2] [3]
  • Integrated SSRF validation into the instance registration flow and both servlet and reactive proxy controllers, ensuring dual enforcement at registration and request time (InstanceRegistry, InstancesProxyController). [1] [2] [3] [4]

Configuration and Extension

  • Introduced configuration options for allowed schemes, allowed hosts (including glob patterns), and blocked host regex patterns. Provided mechanism to override the default validator via a Spring bean. [1] [2]
  • Updated auto-configuration to wire the SSRF validator into the registry and proxy controllers, with sensible defaults and extension points. [1] [2] [3]

Documentation

  • Added comprehensive documentation for SSRF protection, including risk explanation, configuration examples, allow/blocklist usage, extension, and security best practices. Updated security overview, checklist, and navigation to reference the new feature. [1] [2] [3] [4] [5]

These changes significantly improve the security posture of Spring Boot Admin Server in environments where untrusted clients may register instances.

closes #5452

@SteKoe SteKoe requested a review from a team as a code owner June 19, 2026 08:43
@SteKoe SteKoe force-pushed the chore/5452-ssrf-check branch from f5fc079 to 0e995c5 Compare June 19, 2026 08:45
@SteKoe SteKoe force-pushed the chore/5452-ssrf-check branch from 0e995c5 to 24010f7 Compare June 19, 2026 08:45
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

SSRF via unauthenticated instance registration with arbitrary managementUrl

1 participant

@SteKoe