[Bug]: Phase 1 — Critical SSRF Bypasses, Missing Auth & Security Headers (C-1 through C-6)

[initializ-mk]

Component

forge-core (registry, tools, security, channels, LLM), forge-cli (commands, TUI wizard, runtime)

Description

Six critical security vulnerabilities identified via cross-reference with OpenClaw 2026.2.19 / 2026.2.20. These are actively present and exploitable without special conditions.

Re-verified 2026-03-12 against latest main (commit 7d2148b). All 6 vulnerabilities confirmed present.

Reference: FORGE-SECURITY-UPDATE.md — Phase 1

Steps to reproduce

C-1. IPv4 SSRF Bypass (Octal / Hex / Short / Packed Forms)

• Files: forge-core/security/egress_enforcer.go, forge-core/security/domain_matcher.go
• domain_matcher.go uses strings.HasSuffix() and map lookups for domain matching. No IPv4 normalization exists. net.ParseIP() silently accepts octal (0177.0.0.1), hex (0x7f.0.0.1), and packed forms, bypassing the allowlist.

C-2. NAT64 / 6to4 / Teredo IPv6 Transition Address Bypass

• File: forge-core/security/egress_enforcer.go
• No checks for IPv6 transition addresses that embed private IPv4 destinations. An attacker can use 64:ff9b::127.0.0.1 (NAT64), 2002:7f00:0001:: (6to4), or Teredo addresses to reach internal services.

C-3. Cross-Origin Redirect Credential Stripping

• File: forge-core/tools/builtins/http_request.go
• HTTP client created at lines 70-73 with only Transport and Timeout. No custom CheckRedirect function. No imports for redirect handling. Cookie, Cookie2, and Proxy-Authorization headers survive cross-origin redirects.

C-4. A2A Server CORS Wildcard

• File: forge-cli/server/a2a_server.go (line 238)
• w.Header().Set("Access-Control-Allow-Origin", "*") allows access from any origin. No origin validation or dynamic origin checking.

C-5. A2A Server Authentication Not Enforced by Default

• File: forge-cli/server/a2a_server.go
• An authMiddleware field exists in ServerConfig and is applied at line 128, but it is optional (if s.authMiddleware != nil). Authentication is not enforced by default — servers can be instantiated without any auth.

C-6. A2A Server Missing Security Headers

• File: forge-cli/server/a2a_server.go
• Only CORS headers (Access-Control-*), Content-Type, Cache-Control, and Connection are set. Missing: X-Content-Type-Options, Referrer-Policy, X-Frame-Options, Content-Security-Policy.

Expected behavior

• C-1: All IPv4 literals normalized to strict dotted-decimal before allowlist comparison. Non-standard forms rejected.
• C-2: IPv6 transition addresses (NAT64, 6to4, Teredo) blocked by egress enforcer.
• C-3: Authorization, Proxy-Authorization, Cookie, Cookie2 headers stripped on cross-origin redirects.
• C-4: CORS restricted to explicit origin allowlist (default: localhost only).
• C-5: Authentication middleware required — server fails to start without auth configured.
• C-6: Security headers (X-Content-Type-Options: nosniff, Referrer-Policy: no-referrer, X-Frame-Options: DENY, CSP: default-src 'none') set on all responses.

Actual behavior

• C-1: Octal/hex/packed IPv4 forms bypass the egress enforcer.
• C-2: IPv6 transition addresses pass through unchecked.
• C-3: Credentials forwarded to arbitrary redirect targets.
• C-4: CORS is wildcard * — any website can make cross-origin requests.
• C-5: Auth middleware is optional; servers can run without authentication.
• C-6: No security response headers present.

Tasks

C-1. IPv4 SSRF Bypass

• Add normalizeIPv4() function — re-format to strict dotted-decimal
• Reject octal, hex, short, and packed IPv4 forms
• Call normalizer before allowlist comparison in isAllowed()
• Fail closed: deny request if IP cannot be parsed to strict dotted-decimal
• Add unit tests for octal, hex, short, packed, and mixed forms

C-2. IPv6 Transition Address Bypass

• Add isIPv6TransitionAddress(ip net.IP) bool checking NAT64, 6to4, Teredo prefixes
• Block matching IPs in egress enforcer
• Fail closed on IPv6 parse error
• Add unit tests for each transition address type

C-3. Cross-Origin Redirect Credential Stripping

• Add custom CheckRedirect function on http.Client
• Compare origin (scheme+host+port) on redirect; strip sensitive headers if different
• Log cross-origin redirects at debug level
• Add unit tests with httptest cross-origin redirect server

C-4. CORS Wildcard

• Replace * with explicit configurable origin allowlist
• Default to http://localhost:* for local use
• Set Access-Control-Allow-Credentials: false explicitly
• Add tests for allowed and blocked origins

C-5. Authentication Enforcement

• Make auth middleware required — fail startup without auth
• Auto-generate cryptographically random token at first startup
• Persist token with 0600 permissions
• Reject unauthenticated requests with 401
• Add tests for authenticated and unauthenticated requests

C-6. Security Headers

• Add middleware setting X-Content-Type-Options: nosniff, Referrer-Policy: no-referrer, X-Frame-Options: DENY, CSP: default-src 'none'
• Apply before CORS middleware
• Add test verifying headers present on responses

[initializ-mk]

PR #34 addresses all critical vulnerabilities in this issue:

• C-1/C-2/C-7: SSRF bypass via octal/hex/packed IPs now blocked by strict IPv4 parser + post-DNS SafeDialer + IPv6 transition address detection
• C-3: Cross-origin redirect credential stripping on http_request and webhook_call
• C-4: CORS restricted to localhost by default (configurable via --cors-origins / FORGE_CORS_ORIGINS / cors_origins in forge.yaml)
• C-5: Already fixed (auth middleware with 256-bit tokens)
• C-6: Security response headers (X-Content-Type-Options, Referrer-Policy, X-Frame-Options, CSP) on all A2A responses

Container/K8s-aware: allowPrivateIPs auto-detects Docker/K8s to allow RFC 1918 while always blocking cloud metadata.

See PR for full details and test plan.