Skip to content

Fix SSRF and unsafe artifact path opening guards#9

Draft
cursor[bot] wants to merge 2 commits into
mainfrom
cursor/critical-bug-investigation-8bd5
Draft

Fix SSRF and unsafe artifact path opening guards#9
cursor[bot] wants to merge 2 commits into
mainfrom
cursor/critical-bug-investigation-8bd5

Conversation

@cursor

@cursor cursor Bot commented Jun 12, 2026

Copy link
Copy Markdown

Bug and impact

  • fetch_url, http_request, and the new browser-fetch URL gate could allow private/local IP literals in bracketed IPv6 forms such as IPv4-mapped loopback, enabling agent tool SSRF against local services.
  • Artifact citation clicks passed model-supplied paths to open_path, which accepted absolute paths and could open files/apps outside the workspace when clicked.

Root cause

  • URL validation used host_str() text and reparsed it as IpAddr; bracketed IPv6 literals did not parse through that path, so IPv6-local and IPv4-mapped private addresses escaped the blocklist.
  • open_path treated absolute paths as trusted instead of enforcing the artifact contract that paths are workspace-relative.

Fix

  • Validate parsed url::Host values directly and classify IPv4, IPv6, IPv4-mapped IPv6, carrier-grade NAT, link-local, loopback, unique-local, multicast, unspecified, documentation, and discard-only literals as blocked.
  • Revalidate final response URLs after reqwest redirects for fetch_url and http_request.
  • Restrict open_path to workspace-relative paths and verify resolved paths remain inside the workspace.

Validation

  • cargo +stable test --manifest-path src-tauri/Cargo.toml agent_tools::tests::
  • cargo +stable test --manifest-path src-tauri/Cargo.toml
Open in Web View Automation 

cursoragent and others added 2 commits June 12, 2026 10:09
Co-authored-by: g00sifer Development Lab <g00siferdev-py@users.noreply.github.com>
Co-authored-by: g00sifer Development Lab <g00siferdev-py@users.noreply.github.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant