Skip to content

Fix(client): Disable automatic HTTP redirects in SandboxConnector to prevent SSRF#816

Merged
k8s-ci-robot merged 3 commits into
kubernetes-sigs:mainfrom
chw120:fix-511322708
May 27, 2026
Merged

Fix(client): Disable automatic HTTP redirects in SandboxConnector to prevent SSRF#816
k8s-ci-robot merged 3 commits into
kubernetes-sigs:mainfrom
chw120:fix-511322708

Conversation

@chw120

@chw120 chw120 commented May 18, 2026

Copy link
Copy Markdown
Contributor

What this PR does / why we need it:

This PR disables automatic HTTP redirects in the agentic-sandbox-client Python SDK to prevent a High-severity Server-Side Request Forgery (SSRF) vulnerability.

Currently, the SDK's SandboxConnector and AsyncSandboxConnector use default HTTP client settings that automatically follow 3xx redirects. Since the sandbox environment is inherently untrusted, an attacker with execution capabilities can force the orchestrator to perform unauthorized GET requests against internal infrastructure—such as cloud IMDS metadata (e.g., 169.254.169.254) or private internal APIs—by issuing a malicious redirect.

This fix explicitly sets allow_redirects=False (for requests) and follow_redirects=False (for httpx) to ensure the security boundary between the untrusted sandbox and the orchestrator's network is strictly enforced.

Release Note

SECURITY: Disables automatic HTTP redirects in the Python SDK's SandboxConnector to mitigate potential Server-Side Request Forgery (SSRF) attacks from compromised sandboxes.
@netlify

netlify Bot commented May 18, 2026

Copy link
Copy Markdown

Deploy Preview for agent-sandbox ready!

Name Link
🔨 Latest commit f2ee079
🔍 Latest deploy log https://app.netlify.com/projects/agent-sandbox/deploys/6a17541a4ba0940008707be5
😎 Deploy Preview https://deploy-preview-816--agent-sandbox.netlify.app
📱 Preview on mobile
Toggle QR Code...

QR Code

Use your smartphone camera to open QR code link.

To edit notification comments on pull requests, go to your Netlify project configuration.

@k8s-ci-robot k8s-ci-robot requested review from igooch and vicentefb May 18, 2026 21:32
@k8s-ci-robot k8s-ci-robot added cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. size/M Denotes a PR that changes 30-99 lines, ignoring generated files. labels May 18, 2026
@janetkuo janetkuo requested a review from Copilot May 18, 2026 22:00

Copilot AI left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR hardens the Python SDK’s SandboxConnector / AsyncSandboxConnector against SSRF by disabling automatic following of HTTP redirects when communicating with an untrusted sandbox.

Changes:

  • Force requests calls to use allow_redirects=False in the sync connector.
  • Force httpx calls to use follow_redirects=False in the async connector.
  • Add unit tests asserting redirects are disabled for both connectors.

Reviewed changes

Copilot reviewed 4 out of 4 changed files in this pull request and generated 3 comments.

File Description
clients/python/agentic-sandbox-client/k8s_agent_sandbox/connector.py Disables automatic redirect following for sync HTTP requests.
clients/python/agentic-sandbox-client/k8s_agent_sandbox/async_connector.py Disables automatic redirect following for async HTTP requests.
clients/python/agentic-sandbox-client/k8s_agent_sandbox/test/unit/test_connector.py Adds a unit test asserting allow_redirects=False is passed.
clients/python/agentic-sandbox-client/k8s_agent_sandbox/test/unit/test_async_sandboxclient.py Adds a unit test asserting follow_redirects=False is passed.
@k8s-ci-robot k8s-ci-robot added size/L Denotes a PR that changes 100-499 lines, ignoring generated files. and removed size/M Denotes a PR that changes 30-99 lines, ignoring generated files. labels May 20, 2026
@chw120

chw120 commented May 23, 2026

Copy link
Copy Markdown
Contributor Author

/priority critical-urgent

@k8s-ci-robot k8s-ci-robot added the priority/critical-urgent Highest priority. Must be actively worked on as someone's top priority right now. label May 23, 2026
@barney-s

Copy link
Copy Markdown
Collaborator

Couple of small observations/recommendations to consider for completeness:

  1. Clarifying Comment on pop("allow_redirects") / pop("follow_redirects"):
    Currently, the comments explain that this prevents TypeError due to duplicate keyword arguments. It is worth briefly expanding the comment (or log message) to explicitly note that the SDK mandates blocking redirects for SSRF mitigation, and user-provided redirect settings are overridden/ignored for security reasons.

  2. Handling other 3xx Status Codes (e.g., 300 / 305 / 306):
    Neither requests nor httpx considers status codes like 300 Multiple Choices, 305 Use Proxy, or 306 Switch Proxy as response.is_redirect = True by default.

    • Since allow_redirects=False/follow_redirects=False is set at the client request level, the client will not automatically follow redirects for these status codes. So there is no SSRF risk.
    • However, since these codes do not trigger response.is_redirect = True, they will bypass the redirection error raise and instead execute response.raise_for_status(). Since raise_for_status only raises for 400 <= status_code < 600, these 3xx responses will be returned directly to the caller. This is acceptable behavior, but is worth noting.
…st non-redirect 3xx handling in sync and async connectors
@chw120

chw120 commented May 27, 2026

Copy link
Copy Markdown
Contributor Author

Couple of small observations/recommendations to consider for completeness:

  1. Clarifying Comment on pop("allow_redirects") / pop("follow_redirects"):
    Currently, the comments explain that this prevents TypeError due to duplicate keyword arguments. It is worth briefly expanding the comment (or log message) to explicitly note that the SDK mandates blocking redirects for SSRF mitigation, and user-provided redirect settings are overridden/ignored for security reasons.

  2. Handling other 3xx Status Codes (e.g., 300 / 305 / 306):
    Neither requests nor httpx considers status codes like 300 Multiple Choices, 305 Use Proxy, or 306 Switch Proxy as response.is_redirect = True by default.

    • Since allow_redirects=False/follow_redirects=False is set at the client request level, the client will not automatically follow redirects for these status codes. So there is no SSRF risk.
    • However, since these codes do not trigger response.is_redirect = True, they will bypass the redirection error raise and instead execute response.raise_for_status(). Since raise_for_status only raises for 400 <= status_code < 600, these 3xx responses will be returned directly to the caller. This is acceptable behavior, but is worth noting.

Thanks @barney-s for review. Updated the comments to cover them.

@barney-s

Copy link
Copy Markdown
Collaborator

/lgtm
/approve

@k8s-ci-robot k8s-ci-robot added the lgtm "Looks good to me", indicates that a PR is ready to be merged. label May 27, 2026
@k8s-ci-robot

Copy link
Copy Markdown
Contributor

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: aditya-shantanu, barney-s, chw120

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@k8s-ci-robot k8s-ci-robot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label May 27, 2026
@k8s-ci-robot k8s-ci-robot merged commit d43447b into kubernetes-sigs:main May 27, 2026
10 checks passed
@github-project-automation github-project-automation Bot moved this from Backlog to Done in Agent Sandbox May 27, 2026
@chw120 chw120 deleted the fix-511322708 branch May 27, 2026 22:09
khirotaka pushed a commit to khirotaka/agent-sandbox that referenced this pull request Jun 12, 2026
…prevent SSRF (kubernetes-sigs#816)

* fix(client): disable HTTP redirects in SandboxConnector to prevent client-side SSRF

* fix copilot comments

* docs(client): document SDK redirection blocking security model and test non-redirect 3xx handling in sync and async connectors
alexatakvelon pushed a commit to volatilemolotov/agent-sandbox that referenced this pull request Jun 24, 2026
…prevent SSRF (kubernetes-sigs#816)

* fix(client): disable HTTP redirects in SandboxConnector to prevent client-side SSRF

* fix copilot comments

* docs(client): document SDK redirection blocking security model and test non-redirect 3xx handling in sync and async connectors
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

approved Indicates a PR has been approved by an approver from all required OWNERS files. cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. lgtm "Looks good to me", indicates that a PR is ready to be merged. priority/critical-urgent Highest priority. Must be actively worked on as someone's top priority right now. ready-for-review size/L Denotes a PR that changes 100-499 lines, ignoring generated files.

6 participants