fix(config): allow http OPENAI_API_BASE for loopback and RFC1918#372
Merged
Conversation
3 tasks
PR #367 enforced https-only on OPENAI_API_BASE to close #358, which broke local LLM setups (Ollama, LiteLLM, vLLM in containers) that legitimately use plain http on loopback or private networks. The validator now accepts: - https for any host (unchanged) - http for localhost, 127.0.0.0/8, ::1, RFC1918 (10/8, 172.16/12, 192.168/16) and RFC4193 ULA (fc00::/7) Link-local (169.254/16 IMDS, fe80::/10) and 0.0.0.0/8 are rejected explicitly so the IMDS exfiltration vector from #358 stays blocked. Single-label LAN hostnames (e.g. http://thinkbox:8080/v1) can't be classified by IP literal and need an explicit opt-out via the new --insecure-api-base persistent flag or insecureAPIBase: true in config.yaml. The opt-out is deliberately not bound to an env var: #358's threat model assumes attacker control of the environment, so an env-var opt-out would undo the validation guarantee. When validation passes, the override is logged at debug instead of warn (PR #367 emitted a warn line per request, which interleaved with stderr in scripts). Closes #371.
7f6d66d to
242ee05
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
OPENAI_API_BASE=http://localhost:11434/v1(Ollama / LiteLLM / vLLM and friends) is allowed again. Thehttps-only validation now acceptshttpfor loopback (localhost,127.0.0.0/8,::1), RFC1918 (10/8,172.16/12,192.168/16) and RFC4193 ULA (fc00::/7).169.254/16IMDS,fe80::/10) and0.0.0.0/8are rejected explicitly so the SSRF / key-exfiltration vector from security: unvalidated OPENAI_API_BASE enables SSRF and API key exfiltration #358 stays blocked.--insecure-api-basepersistent flag (andinsecureAPIBaseconfig-file key) for single-label LAN hostnames likehttp://thinkbox:8080/v1that can't be classified by IP literal. Deliberately not bound to an env var — security: unvalidated OPENAI_API_BASE enables SSRF and API key exfiltration #358's threat model assumes attacker control of the environment, so an env-var opt-out would undo the validation guarantee.slog.Warn("OPENAI_API_BASE override active", ...)(added in config: validate OPENAI_API_BASE against SSRF risks #367) back toslog.Debug; only the opt-out path still emits a one-shot WARN. Scripts that capture stderr (2>&1) are quiet again.Closes #371.
Test plan
go test ./...(extendedTestCreateClientAPIBaseValidationtable with loopback/RFC1918/ULA/IMDS/IPv4-mapped/link-local/unspecified/CGNAT/userinfo-trick cases; newTestCreateClientAPIBaseInsecureOptOutcovers the viper opt-out)TestCheckCmdInsecureAPIBaseFlagexercises the--insecure-api-baseflag end-to-end through cobra → viper →CreateClientgolangci-lint run ./...(0 issues with golangci-lint 2.12.2 / go1.26.2 via the updated flake)OPENAI_API_BASE=http://localhost:11434/v1 sgpt "hi"— no warning, validation passesOPENAI_API_BASE=http://thinkbox:8080/v1 sgpt "hi"— fails with discoverable error pointing to--insecure-api-base/insecureAPIBase: trueOPENAI_API_BASE=http://169.254.169.254/ sgpt "hi"— still blocked (link-local explicitly rejected)