🛡️ fix: Implement TOCTOU-Safe SSRF Protection for Actions and MCP (#11722)

* refactor: better SSRF Protection in Action and Tool Services

- Added `createSSRFSafeAgents` function to create HTTP/HTTPS agents that block connections to private/reserved IP addresses, enhancing security against SSRF attacks.
- Updated `createActionTool` to accept a `useSSRFProtection` parameter, allowing the use of SSRF-safe agents during tool execution.
- Modified `processRequiredActions` and `loadAgentTools` to utilize the new SSRF protection feature based on allowed domains configuration.
- Introduced `resolveHostnameSSRF` function to validate resolved IPs against private ranges, preventing potential SSRF vulnerabilities.
- Enhanced tests for domain resolution and private IP detection to ensure robust SSRF protection mechanisms are in place.

* feat: Implement SSRF protection in MCP connections

- Added `createSSRFSafeUndiciConnect` function to provide SSRF-safe DNS lookup options for undici agents.
- Updated `MCPConnection`, `MCPConnectionFactory`, and `ConnectionsRepository` to include `useSSRFProtection` parameter, enabling SSRF protection based on server configuration.
- Enhanced `MCPManager` and `UserConnectionManager` to utilize SSRF protection when establishing connections.
- Updated tests to validate the integration of SSRF protection across various components, ensuring robust security measures are in place.

* refactor: WS MCPConnection with SSRF protection and async transport construction

- Added `resolveHostnameSSRF` to validate WebSocket hostnames against private IP addresses, enhancing SSRF protection.
- Updated `constructTransport` method to be asynchronous, ensuring proper handling of SSRF checks before establishing connections.
- Improved error handling for WebSocket transport to prevent connections to potentially unsafe addresses.

* test: Enhance ActionRequest tests for SSRF-safe agent passthrough

- Added tests to verify that httpAgent and httpsAgent are correctly passed to axios.create when provided in ActionRequest.
- Included scenarios to ensure agents are not included when no options are specified.
- Enhanced coverage for POST requests to confirm agent passthrough functionality.
- Improved overall test robustness for SSRF protection in ActionRequest execution.

api/server/services/ActionService.js

@@ -8,6 +8,7 @@ const {
   logAxiosError,
   refreshAccessToken,
   GenerationJobManager,
+  createSSRFSafeAgents,
 } = require('@librechat/api');
 const {
   Time,
@@ -133,6 +134,7 @@ async function loadActionSets(searchParams) {
  * @param {import('zod').ZodTypeAny | undefined} [params.zodSchema] - The Zod schema for tool input validation/definition
  * @param {{ oauth_client_id?: string; oauth_client_secret?: string; }} params.encrypted - The encrypted values for the action.
  * @param {string | null} [params.streamId] - The stream ID for resumable streams.
+ * @param {boolean} [params.useSSRFProtection] - When true, uses SSRF-safe HTTP agents that validate resolved IPs at connect time.
  * @returns { Promise<typeof tool | { _call: (toolInput: Object | string) => unknown}> } An object with `_call` method to execute the tool input.
  */
 async function createActionTool({
@@ -145,7 +147,9 @@ async function createActionTool({
   description,
   encrypted,
   streamId = null,
+  useSSRFProtection = false,
 }) {
+  const ssrfAgents = useSSRFProtection ? createSSRFSafeAgents() : undefined;
   /** @type {(toolInput: Object | string, config: GraphRunnableConfig) => Promise<unknown>} */
   const _call = async (toolInput, config) => {
     try {
@@ -324,7 +328,7 @@ async function createActionTool({
         }
       }
 
-      const response = await preparedExecutor.execute();
+      const response = await preparedExecutor.execute(ssrfAgents);
 
       if (typeof response.data === 'object') {
         return JSON.stringify(response.data);

api/server/services/ToolService.js

@@ -338,6 +338,7 @@ async function processRequiredActions(client, requiredActions) {
       }
 
       // We've already decrypted the metadata, so we can pass it directly
+      const _allowedDomains = appConfig?.actions?.allowedDomains;
       tool = await createActionTool({
         userId: client.req.user.id,
         res: client.res,
@@ -345,6 +346,7 @@ async function processRequiredActions(client, requiredActions) {
         requestBuilder,
         // Note: intentionally not passing zodSchema, name, and description for assistants API
         encrypted, // Pass the encrypted values for OAuth flow
+        useSSRFProtection: !Array.isArray(_allowedDomains) || _allowedDomains.length === 0,
       });
       if (!tool) {
         logger.warn(
@@ -1064,6 +1066,7 @@ async function loadAgentTools({
     const zodSchema = zodSchemas[functionName];
 
     if (requestBuilder) {
+      const _allowedDomains = appConfig?.actions?.allowedDomains;
       const tool = await createActionTool({
         userId: req.user.id,
         res,
@@ -1074,6 +1077,7 @@ async function loadAgentTools({
         name: toolName,
         description: functionSig.description,
         streamId,
+        useSSRFProtection: !Array.isArray(_allowedDomains) || _allowedDomains.length === 0,
       });
 
       if (!tool) {
@@ -1372,6 +1376,7 @@ async function loadActionToolsForExecution({
       requestBuilder,
       name: toolName,
       description: functionSig?.description ?? '',
+      useSSRFProtection: !Array.isArray(allowedDomains) || allowedDomains.length === 0,
     });
 
     if (!tool) {