guard json schema ref retrieval against internal targets#2269
Open
uwezkhan wants to merge 1 commit into
Open
Conversation
|
🎉 All Contributor License Agreements have been signed. Ready to merge. |
Robert Yokota (rayokota)
added
the
component:schema-registry
Member
|
/sem-approve |
There was a problem hiding this comment.
Pull request overview
This PR hardens JSON Schema $ref retrieval during deserialization by adding an allowlist-style network guard in the shared external-retrieve callback, preventing SSRF-style fetches to internal/non-routable targets while preserving public URL retrieval.
Changes:
- Add
_guard_external_uri()and IP classification helpers to block non-HTTP(S) schemes and non-public resolved targets before fetching. - Update
_retrieve_via_httpx()to apply the guard and explicitly disable redirect following. - Add tests validating that internal/non-HTTP(S) targets are rejected without issuing an HTTP request, and that a public-resolving host is allowed.
Reviewed changes
Copilot reviewed 2 out of 2 changed files in this pull request and generated 3 comments.
| File | Description |
|---|---|
src/confluent_kafka/schema_registry/common/json_schema.py |
Adds URI scheme/host validation and IP-range blocking before performing external $ref retrieval. |
tests/schema_registry/test_json_schema_retrieve.py |
Adds regression tests for allowed/blocked $ref retrieval behavior. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
Comment on lines
+64
to
+75
| def _is_blocked_ip(ip) -> bool: | ||
| mapped = getattr(ip, 'ipv4_mapped', None) | ||
| if mapped is not None: | ||
| ip = mapped | ||
| return ( | ||
| ip.is_private | ||
| or ip.is_loopback | ||
| or ip.is_link_local | ||
| or ip.is_reserved | ||
| or ip.is_multicast | ||
| or ip.is_unspecified | ||
| ) |
Comment on lines
+85
to
+88
| try: | ||
| infos = socket.getaddrinfo(host, parts.port or (443 if parts.scheme == 'https' else 80)) | ||
| except socket.gaierror as ex: | ||
| raise ValueError("Could not resolve schema URI host {}: {}".format(host, ex)) |
Comment on lines
+28
to
+35
| @pytest.mark.parametrize("uri", [ | ||
| "http://169.254.169.254/latest/meta-data/", | ||
| "http://127.0.0.1:8080/internal", | ||
| "http://10.0.0.5/schema", | ||
| "http://[::1]/schema", | ||
| "file:///etc/passwd", | ||
| "gopher://127.0.0.1/x", | ||
| ]) |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
The JSON deserializer resolves a
$refthe schema registry doesn't know about by handing the raw URI tohttpx.getin_retrieve_via_httpx. The writer schema is selected by the schema id embedded in the consumed message, so a producer can register a schema whose$refpoints athttp://169.254.169.254/..., loopback, or an RFC1918 host, and the consumer fetches it during deserialization and parses the response as a schema.Before, any scheme and any address were fetched. After, the helper requires http/https, resolves the host, and refuses private, loopback, link-local, reserved, multicast, or unspecified targets (including IPv4-mapped IPv6); public URLs still resolve as they did. The check lives in the retrieve callback because that is the single point every
$reflookup passes through, so the sync and async paths are both covered without each caller repeating it. Tradeoff: a schema legitimately served from an internal host is now rejected and has to be reachable at a public address or registered as a named reference.