>_
.issue.db
/highway-workflow-engine
Dashboard
Issues
Memory
Lessons
Audit Log
New Issue
Edit Issue #354
Update issue details
Title *
Description
## Issue The http_request.py tool has no URL validation, allowing Server-Side Request Forgery (SSRF) attacks. ## Current Behavior - Workflows can make HTTP requests to ANY URL including: - localhost (http://localhost:7822/admin/reset) - Internal IPs (192.168.x, 10.x) - Cloud metadata (169.254.169.254) ## Risk - Attack internal services - Access cloud metadata (AWS credentials) - Scan internal network ## Required Fix 1. Add URL validation in http_request() 2. Block: localhost, 127.0.0.1, private IPs, cloud metadata 3. Add optional allow_internal param for trusted workflows 4. Log blocked attempts ## Location engine/tools/http_request.py:103-271
Priority
Low
Medium
High
Critical
Status
Open
In Progress
Closed
Won't Do
Due Date (YYYY-MM-DD)
Tags (comma separated)
Related Issues (IDs)
Enter IDs of issues related to this one. They will be linked as 'related'.
Update Issue
Cancel