🛡️ fix: Implement TOCTOU-Safe SSRF Protection for Actions and MCP (#11722)

* refactor: better SSRF Protection in Action and Tool Services

- Added `createSSRFSafeAgents` function to create HTTP/HTTPS agents that block connections to private/reserved IP addresses, enhancing security against SSRF attacks.
- Updated `createActionTool` to accept a `useSSRFProtection` parameter, allowing the use of SSRF-safe agents during tool execution.
- Modified `processRequiredActions` and `loadAgentTools` to utilize the new SSRF protection feature based on allowed domains configuration.
- Introduced `resolveHostnameSSRF` function to validate resolved IPs against private ranges, preventing potential SSRF vulnerabilities.
- Enhanced tests for domain resolution and private IP detection to ensure robust SSRF protection mechanisms are in place.

* feat: Implement SSRF protection in MCP connections

- Added `createSSRFSafeUndiciConnect` function to provide SSRF-safe DNS lookup options for undici agents.
- Updated `MCPConnection`, `MCPConnectionFactory`, and `ConnectionsRepository` to include `useSSRFProtection` parameter, enabling SSRF protection based on server configuration.
- Enhanced `MCPManager` and `UserConnectionManager` to utilize SSRF protection when establishing connections.
- Updated tests to validate the integration of SSRF protection across various components, ensuring robust security measures are in place.

* refactor: WS MCPConnection with SSRF protection and async transport construction

- Added `resolveHostnameSSRF` to validate WebSocket hostnames against private IP addresses, enhancing SSRF protection.
- Updated `constructTransport` method to be asynchronous, ensuring proper handling of SSRF checks before establishing connections.
- Improved error handling for WebSocket transport to prevent connections to potentially unsafe addresses.

* test: Enhance ActionRequest tests for SSRF-safe agent passthrough

- Added tests to verify that httpAgent and httpsAgent are correctly passed to axios.create when provided in ActionRequest.
- Included scenarios to ensure agents are not included when no options are specified.
- Enhanced coverage for POST requests to confirm agent passthrough functionality.
- Improved overall test robustness for SSRF protection in ActionRequest execution.

packages/api/src/auth/agent.spec.ts

@@ -0,0 +1,113 @@
+jest.mock('node:dns', () => {
+  const actual = jest.requireActual('node:dns');
+  return {
+    ...actual,
+    lookup: jest.fn(),
+  };
+});
+
+import dns from 'node:dns';
+import { createSSRFSafeAgents, createSSRFSafeUndiciConnect } from './agent';
+
+type LookupCallback = (err: NodeJS.ErrnoException | null, address: string, family: number) => void;
+
+const mockedDnsLookup = dns.lookup as jest.MockedFunction<typeof dns.lookup>;
+
+function mockDnsResult(address: string, family: number): void {
+  mockedDnsLookup.mockImplementation(((
+    _hostname: string,
+    _options: unknown,
+    callback: LookupCallback,
+  ) => {
+    callback(null, address, family);
+  }) as never);
+}
+
+function mockDnsError(err: NodeJS.ErrnoException): void {
+  mockedDnsLookup.mockImplementation(((
+    _hostname: string,
+    _options: unknown,
+    callback: LookupCallback,
+  ) => {
+    callback(err, '', 0);
+  }) as never);
+}
+
+describe('createSSRFSafeAgents', () => {
+  afterEach(() => {
+    jest.clearAllMocks();
+  });
+
+  it('should return httpAgent and httpsAgent', () => {
+    const agents = createSSRFSafeAgents();
+    expect(agents.httpAgent).toBeDefined();
+    expect(agents.httpsAgent).toBeDefined();
+  });
+
+  it('should patch httpAgent createConnection to inject SSRF lookup', () => {
+    const agents = createSSRFSafeAgents();
+    const internal = agents.httpAgent as unknown as {
+      createConnection: (opts: Record<string, unknown>) => unknown;
+    };
+    expect(internal.createConnection).toBeInstanceOf(Function);
+  });
+});
+
+describe('createSSRFSafeUndiciConnect', () => {
+  afterEach(() => {
+    jest.clearAllMocks();
+  });
+
+  it('should return an object with a lookup function', () => {
+    const connect = createSSRFSafeUndiciConnect();
+    expect(connect).toHaveProperty('lookup');
+    expect(connect.lookup).toBeInstanceOf(Function);
+  });
+
+  it('lookup should block private IPs', async () => {
+    mockDnsResult('10.0.0.1', 4);
+    const connect = createSSRFSafeUndiciConnect();
+
+    const result = await new Promise<{ err: NodeJS.ErrnoException | null }>((resolve) => {
+      connect.lookup('evil.example.com', {}, (err) => {
+        resolve({ err });
+      });
+    });
+
+    expect(result.err).toBeTruthy();
+    expect(result.err!.code).toBe('ESSRF');
+  });
+
+  it('lookup should allow public IPs', async () => {
+    mockDnsResult('93.184.216.34', 4);
+    const connect = createSSRFSafeUndiciConnect();
+
+    const result = await new Promise<{ err: NodeJS.ErrnoException | null; address: string }>(
+      (resolve) => {
+        connect.lookup('example.com', {}, (err, address) => {
+          resolve({ err, address: address as string });
+        });
+      },
+    );
+
+    expect(result.err).toBeNull();
+    expect(result.address).toBe('93.184.216.34');
+  });
+
+  it('lookup should forward DNS errors', async () => {
+    const dnsError = Object.assign(new Error('ENOTFOUND'), {
+      code: 'ENOTFOUND',
+    }) as NodeJS.ErrnoException;
+    mockDnsError(dnsError);
+    const connect = createSSRFSafeUndiciConnect();
+
+    const result = await new Promise<{ err: NodeJS.ErrnoException | null }>((resolve) => {
+      connect.lookup('nonexistent.example.com', {}, (err) => {
+        resolve({ err });
+      });
+    });
+
+    expect(result.err).toBeTruthy();
+    expect(result.err!.code).toBe('ENOTFOUND');
+  });
+});