fix(coderd): harden Azure identity certificate fetch#25274
Merged
Conversation
Re-land the SSRF hardening for Azure identity certificate fetching that was reverted in #25273 due to CI failures. This commit includes the original security improvements plus fixes for the three CI issues. Security hardening: - Restrict cert fetches to a host+port allowlist (Microsoft and DigiCert on 80/443). - Route requests through a dedicated http.Client that resolves the host once and dials the validated IP directly. - Reject loopback, private (RFC 1918 / IPv6 ULA), link-local, multicast, unspecified, CGNAT, benchmarking, and IPv4-mapped IPv6 addresses. - Cap the certificate response body at 1 MiB. - Log the underlying error via slog and return a generic detail to the caller. - Add unit tests for the URL allowlist, IP classification, and dialer. CI fixes over original commit (fb3aef1): - Fix bodyclose lint: use http.NewRequestWithContext + Do() with deferred resp.Body.Close() guard in TestCertFetchClientRejectsLoopback. - Fix fmt: remove extra alignment spaces on IPv6 CIDR comments. - Fix fmt: remove stray blank line between slog and coder imports.
ThomasK33
approved these changes
May 13, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Re-lands the SSRF hardening for Azure identity certificate fetching that was reverted in #25273 due to CI failures (lint, fmt).
Security improvements:
http.Clientthat resolves the host once and dials the validated IP directly, preventing DNS rebinding.CI fixes over original commit (fb3aef1):
bodycloselint: usehttp.NewRequestWithContext+Do()with deferredresp.Body.Close()guard inTestCertFetchClientRejectsLoopback.fmt: remove extra alignment spaces on IPv6 CIDR comments ininit().fmt: remove stray blank line betweencdr.dev/slogandgithub.com/coderimports.Note
This PR was authored by Coder Agents.