🛡️ fix: Implement TOCTOU-Safe SSRF Protection for Actions and MCP (#11722)

* refactor: better SSRF Protection in Action and Tool Services

- Added `createSSRFSafeAgents` function to create HTTP/HTTPS agents that block connections to private/reserved IP addresses, enhancing security against SSRF attacks.
- Updated `createActionTool` to accept a `useSSRFProtection` parameter, allowing the use of SSRF-safe agents during tool execution.
- Modified `processRequiredActions` and `loadAgentTools` to utilize the new SSRF protection feature based on allowed domains configuration.
- Introduced `resolveHostnameSSRF` function to validate resolved IPs against private ranges, preventing potential SSRF vulnerabilities.
- Enhanced tests for domain resolution and private IP detection to ensure robust SSRF protection mechanisms are in place.

* feat: Implement SSRF protection in MCP connections

- Added `createSSRFSafeUndiciConnect` function to provide SSRF-safe DNS lookup options for undici agents.
- Updated `MCPConnection`, `MCPConnectionFactory`, and `ConnectionsRepository` to include `useSSRFProtection` parameter, enabling SSRF protection based on server configuration.
- Enhanced `MCPManager` and `UserConnectionManager` to utilize SSRF protection when establishing connections.
- Updated tests to validate the integration of SSRF protection across various components, ensuring robust security measures are in place.

* refactor: WS MCPConnection with SSRF protection and async transport construction

- Added `resolveHostnameSSRF` to validate WebSocket hostnames against private IP addresses, enhancing SSRF protection.
- Updated `constructTransport` method to be asynchronous, ensuring proper handling of SSRF checks before establishing connections.
- Improved error handling for WebSocket transport to prevent connections to potentially unsafe addresses.

* test: Enhance ActionRequest tests for SSRF-safe agent passthrough

- Added tests to verify that httpAgent and httpsAgent are correctly passed to axios.create when provided in ActionRequest.
- Included scenarios to ensure agents are not included when no options are specified.
- Enhanced coverage for POST requests to confirm agent passthrough functionality.
- Improved overall test robustness for SSRF protection in ActionRequest execution.

api/server/services/ToolService.js

@@ -338,6 +338,7 @@ async function processRequiredActions(client, requiredActions) {
       }
 
       // We've already decrypted the metadata, so we can pass it directly
+      const _allowedDomains = appConfig?.actions?.allowedDomains;
       tool = await createActionTool({
         userId: client.req.user.id,
         res: client.res,
@@ -345,6 +346,7 @@ async function processRequiredActions(client, requiredActions) {
         requestBuilder,
         // Note: intentionally not passing zodSchema, name, and description for assistants API
         encrypted, // Pass the encrypted values for OAuth flow
+        useSSRFProtection: !Array.isArray(_allowedDomains) || _allowedDomains.length === 0,
       });
       if (!tool) {
         logger.warn(
@@ -1064,6 +1066,7 @@ async function loadAgentTools({
     const zodSchema = zodSchemas[functionName];
 
     if (requestBuilder) {
+      const _allowedDomains = appConfig?.actions?.allowedDomains;
       const tool = await createActionTool({
         userId: req.user.id,
         res,
@@ -1074,6 +1077,7 @@ async function loadAgentTools({
         name: toolName,
         description: functionSig.description,
         streamId,
+        useSSRFProtection: !Array.isArray(_allowedDomains) || _allowedDomains.length === 0,
       });
 
       if (!tool) {
@@ -1372,6 +1376,7 @@ async function loadActionToolsForExecution({
       requestBuilder,
       name: toolName,
       description: functionSig?.description ?? '',
+      useSSRFProtection: !Array.isArray(allowedDomains) || allowedDomains.length === 0,
     });
 
     if (!tool) {