Fix(client): Disable automatic HTTP redirects in SandboxConnector to prevent SSRF#816
Conversation
✅ Deploy Preview for agent-sandbox ready!
To edit notification comments on pull requests, go to your Netlify project configuration. |
There was a problem hiding this comment.
Pull request overview
This PR hardens the Python SDK’s SandboxConnector / AsyncSandboxConnector against SSRF by disabling automatic following of HTTP redirects when communicating with an untrusted sandbox.
Changes:
- Force
requestscalls to useallow_redirects=Falsein the sync connector. - Force
httpxcalls to usefollow_redirects=Falsein the async connector. - Add unit tests asserting redirects are disabled for both connectors.
Reviewed changes
Copilot reviewed 4 out of 4 changed files in this pull request and generated 3 comments.
| File | Description |
|---|---|
clients/python/agentic-sandbox-client/k8s_agent_sandbox/connector.py |
Disables automatic redirect following for sync HTTP requests. |
clients/python/agentic-sandbox-client/k8s_agent_sandbox/async_connector.py |
Disables automatic redirect following for async HTTP requests. |
clients/python/agentic-sandbox-client/k8s_agent_sandbox/test/unit/test_connector.py |
Adds a unit test asserting allow_redirects=False is passed. |
clients/python/agentic-sandbox-client/k8s_agent_sandbox/test/unit/test_async_sandboxclient.py |
Adds a unit test asserting follow_redirects=False is passed. |
|
/priority critical-urgent |
|
Couple of small observations/recommendations to consider for completeness:
|
…st non-redirect 3xx handling in sync and async connectors
Thanks @barney-s for review. Updated the comments to cover them. |
|
/lgtm |
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: aditya-shantanu, barney-s, chw120 The full list of commands accepted by this bot can be found here. The pull request process is described here DetailsNeeds approval from an approver in each of these files:
Approvers can indicate their approval by writing |
…prevent SSRF (kubernetes-sigs#816) * fix(client): disable HTTP redirects in SandboxConnector to prevent client-side SSRF * fix copilot comments * docs(client): document SDK redirection blocking security model and test non-redirect 3xx handling in sync and async connectors
…prevent SSRF (kubernetes-sigs#816) * fix(client): disable HTTP redirects in SandboxConnector to prevent client-side SSRF * fix copilot comments * docs(client): document SDK redirection blocking security model and test non-redirect 3xx handling in sync and async connectors
What this PR does / why we need it:
This PR disables automatic HTTP redirects in the
agentic-sandbox-clientPython SDK to prevent a High-severity Server-Side Request Forgery (SSRF) vulnerability.Currently, the SDK's
SandboxConnectorandAsyncSandboxConnectoruse default HTTP client settings that automatically follow 3xx redirects. Since the sandbox environment is inherently untrusted, an attacker with execution capabilities can force the orchestrator to perform unauthorizedGETrequests against internal infrastructure—such as cloud IMDS metadata (e.g.,169.254.169.254) or private internal APIs—by issuing a malicious redirect.This fix explicitly sets
allow_redirects=False(forrequests) andfollow_redirects=False(forhttpx) to ensure the security boundary between the untrusted sandbox and the orchestrator's network is strictly enforced.Release Note