Harden hostname normalization for repeated trailing dots [AI]

[pgondhi987]

Summary

• Harden hostname canonicalization so repeated terminal dots are treated the same as a canonical hostname before network guard policy checks.
• Add regression coverage for blocked hostnames with repeated trailing dots at the normalizer, SSRF policy, and trusted environment proxy dispatch boundary.
• Keep SSRF test helpers on the shared production hostname normalizer to avoid drift in plugin-facing test utilities.
• Keep the change scoped to shared hostname normalization and network guard tests; no config, migration, or public API changes are intended.
• AI-assisted.

Linked context

Which issue does this close?

No public issue is closed by this PR body.

Which issues, PRs, or discussions are related?

No public related context is linked here.

Was this requested by a maintainer or owner?

No public maintainer request is linked here.

Real behavior proof (required for external PRs)

• Behavior addressed: Reserved hostnames with repeated trailing dots are blocked before trusted proxy dispatch.
• Real environment tested: Local OpenClaw source checkout using the production fetchWithSsrFGuard trusted proxy path with HTTPS_PROXY=http://127.0.0.1:7890; fetch and DNS lookup were instrumented as dispatch canaries.
• Exact steps or command run after this patch: HTTPS_PROXY=http://127.0.0.1:7890 ./node_modules/.bin/tsx --eval '<script importing fetchWithSsrFGuard and calling repeated-dot reserved URLs in TRUSTED_ENV_PROXY mode>'
• Evidence after fix:

[security] blocked URL fetch (url-fetch) targetOrigin=http://localhost... reason=Blocked hostname or private/internal/special-use IP address
BLOCKED http://localhost.../resource :: Blocked hostname or private/internal/special-use IP address
[security] blocked URL fetch (url-fetch) targetOrigin=http://metadata.google.internal... reason=Blocked hostname or private/internal/special-use IP address
BLOCKED http://metadata.google.internal.../computeMetadata/v1/ :: Blocked hostname or private/internal/special-use IP address
[security] blocked URL fetch (url-fetch) targetOrigin=http://api.localhost... reason=Blocked hostname or private/internal/special-use IP address
BLOCKED http://api.localhost.../resource :: Blocked hostname or private/internal/special-use IP address
[security] blocked URL fetch (url-fetch) targetOrigin=http://svc.local... reason=Blocked hostname or private/internal/special-use IP address
BLOCKED http://svc.local.../resource :: Blocked hostname or private/internal/special-use IP address
[security] blocked URL fetch (url-fetch) targetOrigin=http://db.internal... reason=Blocked hostname or private/internal/special-use IP address
BLOCKED http://db.internal.../resource :: Blocked hostname or private/internal/special-use IP address
DISPATCH_COUNTS fetch=0 lookup=0

• Observed result after fix: Repeated-dot variants of localhost, metadata.google.internal, .localhost, .local, and .internal hostnames are rejected before DNS lookup or fetch dispatch in trusted proxy mode.
• What was not tested: Live forwarding through a real external proxy or access to a cloud metadata service.
• Proof limitations or environment constraints: The proof intentionally stops at the guard boundary and uses dispatch canaries to verify no fetch or DNS lookup happens.
• Before evidence (optional but encouraged): Existing normalization stripped only one trailing dot, leaving repeated-dot hostnames non-canonical for exact and suffix checks.

Tests and validation

Which commands did you run?

node scripts/run-vitest.mjs src/infra/net/hostname.test.ts src/infra/net/ssrf.test.ts src/infra/net/fetch-guard.ssrf.test.ts

node scripts/run-vitest.mjs src/infra/net/hostname.test.ts src/infra/net/ssrf.test.ts src/infra/net/fetch-guard.ssrf.test.ts extensions/google/image-generation-provider.test.ts

git diff --check origin/main...HEAD

node scripts/run-oxlint.mjs --tsconfig config/tsconfig/oxlint.core.json src/infra/net/hostname.ts src/infra/net/hostname.test.ts src/infra/net/ssrf.test.ts src/infra/net/fetch-guard.ssrf.test.ts src/test-helpers/ssrf.ts

What regression coverage was added or updated?

Canonical hostname normalization now covers repeated trailing dots. SSRF policy tests cover blocked reserved hostnames with repeated trailing dots. Trusted proxy guard tests cover rejection before lookup or fetch dispatch. The plugin-facing SSRF test helper now reuses the shared normalizer.

What failed before this fix, if known?

Repeated terminal dots could leave a hostname outside the canonical exact/suffix blocked forms.

If no test was added, why not?

Tests were added.

Risk checklist

Did user-visible behavior change? (Yes/No)

Yes, malformed or unusual repeated-dot forms of blocked hostnames are now rejected consistently.

Did config, environment, or migration behavior change? (Yes/No)

No.

Did security, auth, secrets, network, or tool execution behavior change? (Yes/No)

Yes, network hostname guard canonicalization is stricter for repeated trailing dots.

What is the highest-risk area?

Network guard hostname canonicalization is shared by SSRF policy and SDK-exposed helpers.

How is that risk mitigated?

The implementation is a narrow canonicalization change with focused normalizer, SSRF policy, trusted proxy guard, helper-parity regression coverage, and terminal guard-boundary proof.

Current review state

What is the next action?

Await ClawSweeper re-review, CI status, and maintainer review.

What is still waiting on author, maintainer, CI, or external proof?

ClawSweeper re-review and maintainer review are pending. CI has an unrelated existing check-lint failure in an unchanged file.

Which bot or reviewer comments were addressed?

ClawSweeper requested real behavior proof; the PR body now includes terminal guard-boundary proof showing repeated-dot reserved hostnames blocked before fetch or DNS lookup.

[clawsweeper]

Codex review: needs maintainer review before merge. Reviewed May 27, 2026, 10:24 AM ET / 14:24 UTC.

Summary
The PR changes shared hostname normalization to strip repeated trailing dots and adds SSRF, trusted-proxy, normalizer, and test-helper regression coverage.

PR surface: Source 0, Tests +41. Total +41 across 5 files.

Reproducibility: yes. Current main keeps repeated trailing dots in URL hostnames and normalizeHostname removes only one terminal dot, so reserved hostname checks can miss repeated-dot variants; the PR body adds terminal proof that the patched guard blocks them before fetch or lookup.

Review metrics: 1 noteworthy metric.

• Shared helper behavior: 1 SDK-exported normalizer changed. normalizeHostname is re-exported through plugin SDK/runtime surfaces, so the stricter canonicalization is an upgrade-visible security behavior change.

Merge readiness
Overall: 🐚 platinum hermit
Proof: 🐚 platinum hermit
Patch quality: 🐚 platinum hermit
Result: ready for maintainer review.

Overall follows the weaker of proof and patch quality, so missing proof can cap an otherwise strong patch.

Rank-up moves:

• Wait for maintainer review on the shared normalization compatibility decision and current CI status.

Risk before merge

• Merging intentionally changes shared, SDK-exported hostname normalization and SSRF policy behavior for repeated-dot hostnames, so existing unusual repeated-dot inputs may be rejected or canonicalized differently after upgrade.

Maintainer options:

1. Accept the stricter shared canonicalization (recommended)
   A maintainer can accept the compatibility impact because the change is a narrow SSRF hardening with focused tests and terminal guard-boundary proof.
2. Add one more compatibility guardrail
   If maintainers want extra upgrade confidence, ask for focused coverage showing the intended behavior for repeated-dot public allowlisted hosts or numeric private IP variants before merge.

Next step before merge
Manual review is needed because the PR has a protected maintainer label and intentionally changes shared SSRF/plugin-SDK hostname behavior; no narrow automated repair is identified.

Security
Cleared: The diff touches a security boundary but narrows SSRF hostname canonicalization and adds focused guard-boundary coverage; I found no concrete supply-chain or security regression.

Review details

Best possible solution:

Land the centralized normalizer hardening after maintainer review confirms the stricter repeated-dot canonicalization is the desired SSRF and SDK behavior.

Do we have a high-confidence way to reproduce the issue?

Yes. Current main keeps repeated trailing dots in URL hostnames and normalizeHostname removes only one terminal dot, so reserved hostname checks can miss repeated-dot variants; the PR body adds terminal proof that the patched guard blocks them before fetch or lookup.

Is this the best way to solve the issue?

Yes. Changing the shared normalizer is the narrow maintainable fix because the SSRF classifier, DNS pinning, trusted proxy checks, and test helper already depend on that canonical hostname contract.

AGENTS.md: found and applied where relevant.

Codex review notes: model gpt-5.5, reasoning high; reviewed against 5bf1f168d403.

Label changes

Label changes:

• add proof: sufficient: Contributor real behavior proof is sufficient. The updated PR body provides after-fix terminal proof from the production trusted proxy guard path, with blocked repeated-dot reserved hosts and zero fetch/DNS dispatch counts.
• add rating: 🐚 platinum hermit: Overall readiness is 🐚 platinum hermit; proof is 🐚 platinum hermit and patch quality is 🐚 platinum hermit.
• add status: 👀 ready for maintainer look: ClawSweeper has no concrete contributor-facing blocker left for this PR. Sufficient (terminal): The updated PR body provides after-fix terminal proof from the production trusted proxy guard path, with blocked repeated-dot reserved hosts and zero fetch/DNS dispatch counts.
• remove rating: 🦪 silver shellfish: Current PR rating is rating: 🐚 platinum hermit, so this older rating label is no longer current.
• remove status: 📣 needs proof: Current PR status label is status: 👀 ready for maintainer look.

Label justifications:

• P1: This is a security-sensitive SSRF guard hardening in a shared network path that can affect real fetch and proxy workflows.
• merge-risk: 🚨 compatibility: The PR changes shared hostname canonicalization, which can reject or match repeated-dot hostnames differently for existing users and plugin SDK callers.
• rating: 🐚 platinum hermit: Overall readiness is 🐚 platinum hermit; proof is 🐚 platinum hermit and patch quality is 🐚 platinum hermit.
• status: 👀 ready for maintainer look: ClawSweeper has no concrete contributor-facing blocker left for this PR. Sufficient (terminal): The updated PR body provides after-fix terminal proof from the production trusted proxy guard path, with blocked repeated-dot reserved hosts and zero fetch/DNS dispatch counts.
• proof: sufficient: Contributor real behavior proof is sufficient. The updated PR body provides after-fix terminal proof from the production trusted proxy guard path, with blocked repeated-dot reserved hosts and zero fetch/DNS dispatch counts.

Evidence reviewed

PR surface:

Source 0, Tests +41. Total +41 across 5 files.

View PR surface stats

Area	Files	Added	Removed	Net
Source	2	3	3	0
Tests	3	41	0	+41
Docs	0	0	0	0
Config	0	0	0	0
Generated	0	0	0	0
Other	0	0	0	0
Total	5	44	3	+41

What I checked:

• Repository policy read: Root AGENTS.md was read fully; its ClawSweeper policy treats plugin SDK and network guard behavior as compatibility-sensitive and requires real behavior proof for user-visible/security changes. (AGENTS.md:1, 5bf1f168d403)
• Current main normalizer only strips one trailing dot: Current main normalizes hostname case/spacing and removes only one terminal dot with /.$/, so a repeated-dot hostname remains non-canonical for exact and suffix checks. (src/infra/net/hostname.ts:4, 5bf1f168d403)
• Current main SSRF reserved-host checks depend on normalized hostnames: Blocked hostnames and .localhost/.local/.internal suffix checks run after normalizeHostname, so a value left as localhost.. or metadata.google.internal.. misses the reserved-host classifier. (src/infra/net/ssrf.ts:340, 5bf1f168d403)
• Trusted proxy path relies on pre-DNS hostname checks: The trusted env proxy and pinDns=false paths call assertHostnameAllowedWithPolicy before dispatch because they can skip local DNS pinning, making hostname canonicalization part of the security boundary. (src/infra/net/fetch-guard.ts:466, 5bf1f168d403)
• PR implementation centralizes repeated-dot normalization: At the PR head, normalizeHostname strips one or more trailing dots, and the test helper now reuses that production helper instead of duplicating the older one-dot logic. (src/infra/net/hostname.ts:4, 288c006232df)
• PR regression coverage reaches the guard boundary: The PR adds tests for repeated-dot reserved hostnames in isBlockedHostnameOrIp/assertHostnameAllowedWithPolicy and in TRUSTED_ENV_PROXY mode, asserting no lookup or fetch dispatch occurs. (src/infra/net/fetch-guard.ssrf.test.ts:2006, 288c006232df)

Likely related people:

• steipete: Peter Steinberger has the heaviest history across the SSRF/network guard files and authored earlier SSRF hardening plus the shared hostname normalization refactor. (role: original and adjacent security owner; confidence: high; commits: 5bd55037e450, 4aaafe532256, d51929ecb52f; files: src/infra/net/ssrf.ts, src/infra/net/hostname.ts, src/infra/net/fetch-guard.ts)
• caz0075: git blame on current main attributes the current recreated hostname, SSRF, fetch guard, and test helper files to commit 12e5876. (role: recent area contributor; confidence: medium; commits: 12e587690345; files: src/infra/net/hostname.ts, src/infra/net/ssrf.ts, src/infra/net/fetch-guard.ts)
• GodsBoy: GodsBoy authored the pinDns=false hostname-validation hardening that uses the same assertHostnameAllowedWithPolicy boundary affected by this normalization change. (role: adjacent guard-path contributor; confidence: medium; commits: c159d22b34fa; files: src/infra/net/fetch-guard.ts)
• vincentkoc: Vincent Koc has nearby SSRF/network guard history, including single-result lookup normalization and trusted env proxy helper work in related network paths. (role: adjacent SSRF contributor; confidence: medium; commits: 47f0dc3adb06, 6ee8e194c027; files: src/infra/net/ssrf.ts, src/infra/net/fetch-guard.ts)

What the crustacean ranks mean

• 🦀 challenger crab: rare, exceptional readiness with strong proof, clean implementation, and convincing validation.
• 🦞 diamond lobster: very strong readiness with only minor maintainer review expected.
• 🐚 platinum hermit: good normal PR, likely mergeable with ordinary maintainer review.
• 🦐 gold shrimp: useful signal, but proof or patch confidence is still limited.
• 🦪 silver shellfish: thin signal; proof, validation, or implementation needs work.
• 🧂 unranked krab: not merge-ready because proof is missing/unusable or there are serious correctness or safety concerns.
• 🌊 off-meta tidepool: rating does not apply to this item.

Shiny media proof means a screenshot, video, or linked artifact directly shows the changed behavior. Runtime, network, CSP, and security claims still need visible diagnostics.

How this review workflow works

• ClawSweeper keeps one durable marker-backed review comment per issue or PR.
• Re-runs edit this comment so the latest verdict, findings, and automation markers stay together instead of adding duplicate bot comments.
• A fresh review can be triggered by eligible @clawsweeper re-review comments, exact-item GitHub events, scheduled/background review runs, or manual workflow dispatch.
• PR/issue authors and users with repository write access can comment @clawsweeper re-review or @clawsweeper re-run on an open PR or issue to request a fresh review only.
• Maintainers can also comment @clawsweeper review to request a fresh review only.
• Fresh-review commands do not start repair, autofix, rebase, CI repair, or automerge.
• Maintainer-only repair and merge flows require explicit commands such as @clawsweeper autofix, @clawsweeper automerge, @clawsweeper fix ci, or @clawsweeper address review.
• Maintainers can comment @clawsweeper explain to ask for more context, or @clawsweeper stop to stop active automation.

[clawsweeper]

ClawSweeper PR egg

✨ Hatched: 🌱 uncommon Frosted Patch Peep

Hatch command

Comment @clawsweeper hatch when this PR is hatchable.

Hatchability rules:

• Merged PRs are hatchable.
• Open PRs are hatchable when they are status: 👀 ready for maintainer look, status: 🚀 automerge armed, or labeled clawsweeper:automerge.
• Closed unmerged PRs are hatchable only when one of those hatchable labels is still present in the durable record.

Rarity: 🌱 uncommon.
Trait: purrs at green checks.
Image traits: location status garden; accessory green check lantern; palette charcoal, cyan, and signal green; mood watchful; pose balancing on a branch marker; shell translucent glimmer shell; lighting cool dashboard glow; background miniature CI buoys.
Share on X: post this hatch
Copy: My PR egg hatched a 🌱 uncommon Frosted Patch Peep in ClawSweeper.

What is this egg doing here?

• Eggs appear after the PR passes real-behavior proof. It is here for vibes, not verdicts: it does not change labels, ratings, merge decisions, or automation.
• The shell reacts to review momentum: open follow-up work warms it up, re-review makes it wobble, and a clean final review lets it hatch.
• Hatchability usually comes from sufficient real-behavior proof, no blocking P0/P1/P2 findings, no security attention needed, and clean correctness. A merged PR is already final, so merge makes the egg hatchable independently.
• The hatch is seeded from this repository and PR number, so the same PR keeps the same creature; the reviewed head SHA can only change safe visual details.
• Rarity is just collectible sparkle: 🥚 common, 🌱 uncommon, 💎 rare, ✨ glimmer, and 🌈 legendary.

[pgondhi987]

Added real behavior proof to the PR body. It runs the production trusted proxy guard path with repeated-dot reserved hostnames and shows each URL is blocked with DISPATCH_COUNTS fetch=0 lookup=0.

@clawsweeper re-review

[clawsweeper]

🦞🧹
ClawSweeper re-review requested.

I asked ClawSweeper to review this item again.
Action: item re-review queued (workflow sweep.yml, event repository_dispatch).
Result: the existing ClawSweeper review comment will be edited in place when the review finishes.

Re-review progress:

• State: Complete
• Detail: The targeted re-review finished, the durable review comment was updated, and the synced verdict was routed.
• Run: https://github.com/openclaw/clawsweeper/actions/runs/26516925792
• Updated: 2026-05-27T14:25:01.555Z