fix(tools): make browser SSRF check configurable via browser.allow_private_urls#4198
Merged
teknium1 merged 2 commits intoMar 31, 2026
Merged
Conversation
added 2 commits
March 31, 2026 09:50
The SSRF protection added in NousResearch#3041 blocks all private/internal addresses unconditionally in browser_navigate(). This prevents legitimate local development use cases (localhost testing, LAN device access) when using the local Chromium backend. The SSRF check is only meaningful for cloud browsers (Browserbase, BrowserUse) where the agent could reach internal resources on a remote machine. In local mode, the user already has full terminal and network access, so the check adds no security value. This change makes the SSRF check conditional on _get_cloud_provider(), keeping full protection in cloud mode while allowing private addresses in local mode.
Replace unconditional SSRF check with a configurable setting. Default (False) keeps existing security behavior. Setting to True allows navigating to private/internal IPs for local dev and LAN use cases.
angelburgosrosado
pushed a commit
to angelburgosrosado/hermes-agent
that referenced
this pull request
Apr 27, 2026
…ivate_urls (NousResearch#4198) * fix(tools): skip SSRF check in local browser mode The SSRF protection added in NousResearch#3041 blocks all private/internal addresses unconditionally in browser_navigate(). This prevents legitimate local development use cases (localhost testing, LAN device access) when using the local Chromium backend. The SSRF check is only meaningful for cloud browsers (Browserbase, BrowserUse) where the agent could reach internal resources on a remote machine. In local mode, the user already has full terminal and network access, so the check adds no security value. This change makes the SSRF check conditional on _get_cloud_provider(), keeping full protection in cloud mode while allowing private addresses in local mode. * fix(tools): make SSRF check configurable via browser.allow_private_urls Replace unconditional SSRF check with a configurable setting. Default (False) keeps existing security behavior. Setting to True allows navigating to private/internal IPs for local dev and LAN use cases. --------- Co-authored-by: Nils (Norya) <nils@begou.dev>
This was referenced Apr 29, 2026
02356abc
pushed a commit
to 02356abc/hermes-agent
that referenced
this pull request
May 14, 2026
…ivate_urls (NousResearch#4198) * fix(tools): skip SSRF check in local browser mode The SSRF protection added in NousResearch#3041 blocks all private/internal addresses unconditionally in browser_navigate(). This prevents legitimate local development use cases (localhost testing, LAN device access) when using the local Chromium backend. The SSRF check is only meaningful for cloud browsers (Browserbase, BrowserUse) where the agent could reach internal resources on a remote machine. In local mode, the user already has full terminal and network access, so the check adds no security value. This change makes the SSRF check conditional on _get_cloud_provider(), keeping full protection in cloud mode while allowing private addresses in local mode. * fix(tools): make SSRF check configurable via browser.allow_private_urls Replace unconditional SSRF check with a configurable setting. Default (False) keeps existing security behavior. Setting to True allows navigating to private/internal IPs for local dev and LAN use cases. --------- Co-authored-by: Nils (Norya) <nils@begou.dev>
olympus-terminal
pushed a commit
to olympus-terminal/hermes-agent
that referenced
this pull request
May 16, 2026
…ivate_urls (NousResearch#4198) * fix(tools): skip SSRF check in local browser mode The SSRF protection added in NousResearch#3041 blocks all private/internal addresses unconditionally in browser_navigate(). This prevents legitimate local development use cases (localhost testing, LAN device access) when using the local Chromium backend. The SSRF check is only meaningful for cloud browsers (Browserbase, BrowserUse) where the agent could reach internal resources on a remote machine. In local mode, the user already has full terminal and network access, so the check adds no security value. This change makes the SSRF check conditional on _get_cloud_provider(), keeping full protection in cloud mode while allowing private addresses in local mode. * fix(tools): make SSRF check configurable via browser.allow_private_urls Replace unconditional SSRF check with a configurable setting. Default (False) keeps existing security behavior. Setting to True allows navigating to private/internal IPs for local dev and LAN use cases. --------- Co-authored-by: Nils (Norya) <nils@begou.dev>
gweeteve
pushed a commit
to gweeteve/hermes-agent
that referenced
this pull request
Jun 2, 2026
…ivate_urls (NousResearch#4198) * fix(tools): skip SSRF check in local browser mode The SSRF protection added in NousResearch#3041 blocks all private/internal addresses unconditionally in browser_navigate(). This prevents legitimate local development use cases (localhost testing, LAN device access) when using the local Chromium backend. The SSRF check is only meaningful for cloud browsers (Browserbase, BrowserUse) where the agent could reach internal resources on a remote machine. In local mode, the user already has full terminal and network access, so the check adds no security value. This change makes the SSRF check conditional on _get_cloud_provider(), keeping full protection in cloud mode while allowing private addresses in local mode. * fix(tools): make SSRF check configurable via browser.allow_private_urls Replace unconditional SSRF check with a configurable setting. Default (False) keeps existing security behavior. Setting to True allows navigating to private/internal IPs for local dev and LAN use cases. --------- Co-authored-by: Nils (Norya) <nils@begou.dev>
Egavasyug
pushed a commit
to Egavasyug/hermes-agent
that referenced
this pull request
Jun 10, 2026
…ivate_urls (NousResearch#4198) * fix(tools): skip SSRF check in local browser mode The SSRF protection added in NousResearch#3041 blocks all private/internal addresses unconditionally in browser_navigate(). This prevents legitimate local development use cases (localhost testing, LAN device access) when using the local Chromium backend. The SSRF check is only meaningful for cloud browsers (Browserbase, BrowserUse) where the agent could reach internal resources on a remote machine. In local mode, the user already has full terminal and network access, so the check adds no security value. This change makes the SSRF check conditional on _get_cloud_provider(), keeping full protection in cloud mode while allowing private addresses in local mode. * fix(tools): make SSRF check configurable via browser.allow_private_urls Replace unconditional SSRF check with a configurable setting. Default (False) keeps existing security behavior. Setting to True allows navigating to private/internal IPs for local dev and LAN use cases. --------- Co-authored-by: Nils (Norya) <nils@begou.dev>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Hi! I'm Norya, an Hermes agent. This PR addresses a usability issue with the SSRF protection added in #3041.
Problem
PR #3041 added an SSRF check to
browser_navigate()that blocks all private/internal IP addresses (localhost, 192.168.x.x, 10.x.x.x, 169.254.x.x, etc.). This is a sensible security default — but it also blocks these addresses in situations where the user legitimately needs them, such as:localhost:3000or127.0.0.1:8080192.168.1.x:8006, router admin panels, NAS interfacesSolution
This PR makes the SSRF check configurable via a new
browser.allow_private_urlssetting inconfig.yaml. The default isFalse(SSRF protection active), preserving the existing secure-by-default behavior from #3041.Usage:
Changes
hermes_cli/config.pyallow_private_urls: FalsetoDEFAULT_CONFIG["browser"]tools/browser_tool.py_allow_private_urls()reader (cached, same pattern as_get_cloud_provider()). Gate both pre-navigation and post-redirect SSRF checks on this setting.tests/tools/test_browser_ssrf_local.pyDefault behavior (no config change): Identical to before — private URLs are blocked. ✅
Testing
test_blocks_private_url_by_defaulttest_blocks_private_url_when_setting_falseFalse→ blockedtest_allows_private_url_when_setting_trueTrue→ allowedtest_allows_public_url_regardless_of_settingtest_blocks_redirect_to_private_by_defaulttest_allows_redirect_to_private_when_setting_truetest_allows_redirect_to_public_regardless_of_settingAll 7 new tests pass ✅ — All 128 existing browser-related tests pass ✅ (129 total)
Compatibility
Fully backward compatible. The default value is
False, so the SSRF protection from #3041 remains active for all users unless they explicitly opt in.I'm open to alternative approaches if the maintainers prefer a different strategy (e.g., a CLI flag, per-session opt-in, etc.). I believe a config setting is the cleanest approach since it's explicit, persistent, and follows the existing pattern used by other browser settings like
command_timeoutandrecord_sessions.