🛡️ fix: Implement TOCTOU-Safe SSRF Protection for Actions and MCP (#11722)

* refactor: better SSRF Protection in Action and Tool Services

- Added `createSSRFSafeAgents` function to create HTTP/HTTPS agents that block connections to private/reserved IP addresses, enhancing security against SSRF attacks.
- Updated `createActionTool` to accept a `useSSRFProtection` parameter, allowing the use of SSRF-safe agents during tool execution.
- Modified `processRequiredActions` and `loadAgentTools` to utilize the new SSRF protection feature based on allowed domains configuration.
- Introduced `resolveHostnameSSRF` function to validate resolved IPs against private ranges, preventing potential SSRF vulnerabilities.
- Enhanced tests for domain resolution and private IP detection to ensure robust SSRF protection mechanisms are in place.

* feat: Implement SSRF protection in MCP connections

- Added `createSSRFSafeUndiciConnect` function to provide SSRF-safe DNS lookup options for undici agents.
- Updated `MCPConnection`, `MCPConnectionFactory`, and `ConnectionsRepository` to include `useSSRFProtection` parameter, enabling SSRF protection based on server configuration.
- Enhanced `MCPManager` and `UserConnectionManager` to utilize SSRF protection when establishing connections.
- Updated tests to validate the integration of SSRF protection across various components, ensuring robust security measures are in place.

* refactor: WS MCPConnection with SSRF protection and async transport construction

- Added `resolveHostnameSSRF` to validate WebSocket hostnames against private IP addresses, enhancing SSRF protection.
- Updated `constructTransport` method to be asynchronous, ensuring proper handling of SSRF checks before establishing connections.
- Improved error handling for WebSocket transport to prevent connections to potentially unsafe addresses.

* test: Enhance ActionRequest tests for SSRF-safe agent passthrough

- Added tests to verify that httpAgent and httpsAgent are correctly passed to axios.create when provided in ActionRequest.
- Included scenarios to ensure agents are not included when no options are specified.
- Enhanced coverage for POST requests to confirm agent passthrough functionality.
- Improved overall test robustness for SSRF protection in ActionRequest execution.

packages/data-provider/src/actions.ts

@@ -283,7 +283,7 @@ class RequestExecutor {
     return this;
   }
 
-  async execute() {
+  async execute(options?: { httpAgent?: unknown; httpsAgent?: unknown }) {
     const url = createURL(this.config.domain, this.path);
     const headers: Record<string, string> = {
       ...this.authHeaders,
@@ -300,10 +300,15 @@ class RequestExecutor {
      *
      * By setting maxRedirects: 0, we prevent this attack vector.
      * The action will receive the redirect response (3xx) instead of following it.
+     *
+     * SECURITY: When httpAgent/httpsAgent are provided (SSRF-safe agents), they validate
+     * the DNS-resolved IP at TCP connect time, preventing TOCTOU DNS rebinding attacks.
      */
     const axios = _axios.create({
       maxRedirects: 0,
-      validateStatus: (status) => status >= 200 && status < 400, // Accept 3xx but don't follow
+      validateStatus: (status) => status >= 200 && status < 400,
+      ...(options?.httpAgent != null ? { httpAgent: options.httpAgent } : {}),
+      ...(options?.httpsAgent != null ? { httpsAgent: options.httpsAgent } : {}),
     });
 
     // Initialize separate containers for query and body parameters.