Skip to content

docs(linkcontentfetcher): add defence-in-depth SSRF mitigation recipe#11737

Open
camgrimsec wants to merge 1 commit into
deepset-ai:mainfrom
camgrimsec:docs/linkcontentfetcher-ssrf-egress-recipe
Open

docs(linkcontentfetcher): add defence-in-depth SSRF mitigation recipe#11737
camgrimsec wants to merge 1 commit into
deepset-ai:mainfrom
camgrimsec:docs/linkcontentfetcher-ssrf-egress-recipe

Conversation

@camgrimsec

@camgrimsec camgrimsec commented Jun 23, 2026

Copy link
Copy Markdown
Contributor

Expand the existing 'Security considerations' snippet into a three-layer recipe aligned with SECURITY.md's stated operator-responsibility model for SSRF:

  1. URL pre-validation with ipaddress (tightened: explicit localhost reject, domain allowlist for hostname URLs, adds is_multicast / is_unspecified).
  2. Transport-layer NoPrivateIPTransport(httpx.HTTPTransport) re-resolves the hostname and rejects forbidden IPs (defeats DNS rebinding). Plugged in via the existing client_kwargs param. follow_redirects=False note.
  3. Network-layer egress: Kubernetes NetworkPolicy YAML denying RFC1918 / loopback / link-local CIDRs (with kube-dns exception), plus an AWS / Docker note covering 169.254.169.254.

No code change. Pure docs PR. The original short snippet is preserved as section 1; the rest is additive.

Related Issues

  • fixes #issue-number

Proposed Changes:

How did you test it?

Notes for the reviewer

Checklist

  • I have read the contributors guidelines and the code of conduct.
  • I have updated the related issue with new insights and changes.
  • I have added unit tests and updated the docstrings.
  • I've used one of the conventional commit types for my PR title: fix:, feat:, build:, chore:, ci:, docs:, style:, refactor:, perf:, test: and added ! in case the PR includes breaking changes.
  • I have documented my code.
  • I have added a release note file, following the contributors guidelines.
  • I have run pre-commit hooks and fixed any issue.

@camgrimsec
docs(linkcontentfetcher): add defence-in-depth SSRF mitigation recipe
1c7146e 
Expand the existing 'Security considerations' snippet into a three-layer recipe
aligned with SECURITY.md's stated operator-responsibility model for SSRF:

  1. URL pre-validation with ipaddress (tightened: explicit localhost reject,
     domain allowlist for hostname URLs, adds is_multicast / is_unspecified).
  2. Transport-layer NoPrivateIPTransport(httpx.HTTPTransport) re-resolves
     the hostname and rejects forbidden IPs (defeats DNS rebinding). Plugged
     in via the existing client_kwargs param. follow_redirects=False note.
  3. Network-layer egress: Kubernetes NetworkPolicy YAML denying RFC1918 /
     loopback / link-local CIDRs (with kube-dns exception), plus an AWS /
     Docker note covering 169.254.169.254.

No code change. Pure docs PR. The original short snippet is preserved as
section 1; the rest is additive.

Signed-off-by: Cameron G <cambamwham2@gmail.com>
@camgrimsec camgrimsec requested a review from a team as a code owner June 23, 2026 13:53
@camgrimsec camgrimsec requested review from bogdankostic and removed request for a team June 23, 2026 13:53
@vercel

vercel Bot commented Jun 23, 2026

Copy link
Copy Markdown

@camgrimsec is attempting to deploy a commit to the deepset Team on Vercel.

A member of the Team first needs to authorize it.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@bogdankostic bogdankostic Awaiting requested review from bogdankostic bogdankostic is a code owner automatically assigned from deepset-ai/open-source-engineering

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@camgrimsec