security: unvalidated OPENAI_API_BASE enables SSRF and API key exfiltration

[zorak1103]

Summary

OPENAI_API_BASE is accepted without any scheme or host validation. An attacker who can set this environment variable silently redirects all API calls — including the Authorization: Bearer header containing the OpenAI API key — to an arbitrary URL.

Details

// pkg/api/api.go:103-108 — CURRENT
baseURL, isSet := os.LookupEnv("OPENAI_API_BASE")
if isSet {
    clientConfig.BaseURL = baseURL   // no validation
    slog.Debug("Setting API base url to " + baseURL)  // only visible with --verbose
}

Attack scenarios:

• On cloud VMs, pointing to http://169.254.169.254/ exfiltrates instance metadata credentials (IMDS) without IMDSv2 protection.
• An attacker-controlled .env or config.yaml in the working directory can set the variable silently.
• The redirect is logged only at DEBUG level — invisible in normal operation.

Affected file

• pkg/api/api.go:103-108

Remediation

Validate the URL before use (HTTPS-only policy; no hostname allowlist to preserve compatibility with self-hosted backends like Ollama, Azure OpenAI, LiteLLM):

baseURL, isSet := os.LookupEnv("OPENAI_API_BASE")
if isSet {
    u, err := url.Parse(baseURL)
    if err != nil || u.Scheme != "https" || u.Host == "" {
        return nil, fmt.Errorf("OPENAI_API_BASE must be a valid https URL: %q", baseURL)
    }
    clientConfig.BaseURL = baseURL
    slog.Warn("OPENAI_API_BASE override active", "url", baseURL)  // Warn, not Debug
}

Related

• Issue Support api_key and base_url in config.yaml #228 (Support api_key and base_url in config.yaml) — that enhancement should also enforce this validation when the value comes from config.

References

• Security audit 2026-04-19, finding SGP-03 (Medium)