Files
wehub-resource-sync e04ed9c211
CF: Deploy Dev Docs / deploy (push) Has been cancelled
Sync Labels / build (push) Has been cancelled
tests / unit tests (macos-latest) (push) Has been cancelled
tests / unit tests (windows-latest) (push) Has been cancelled
tests / unit tests (ubuntu-latest) (push) Has been cancelled
chore: import upstream snapshot with attribution
2026-07-13 13:32:45 +08:00

366 lines
9.4 KiB
Go

// Copyright 2025 Google LLC
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.
package http
import (
"context"
"crypto/tls"
"encoding/json"
"fmt"
"io"
"net"
"net/http"
"net/url"
"strings"
"syscall"
"time"
"github.com/goccy/go-yaml"
"github.com/googleapis/mcp-toolbox/internal/sources"
"github.com/googleapis/mcp-toolbox/internal/util"
"go.opentelemetry.io/otel/trace"
)
const SourceType string = "http"
const maxErrorBodyLogBytes = 1024
// validate interface
var _ sources.SourceConfig = Config{}
func init() {
if !sources.Register(SourceType, newConfig) {
panic(fmt.Sprintf("source type %q already registered", SourceType))
}
}
func newConfig(ctx context.Context, name string, decoder *yaml.Decoder) (sources.SourceConfig, error) {
actual := Config{Name: name, Timeout: "30s"} // Default timeout
if err := decoder.DecodeContext(ctx, &actual); err != nil {
return nil, err
}
return actual, nil
}
type Config struct {
Name string `yaml:"name" validate:"required"`
Type string `yaml:"type" validate:"required"`
BaseURL string `yaml:"baseUrl"`
Timeout string `yaml:"timeout"`
DefaultHeaders map[string]string `yaml:"headers"`
QueryParams map[string]string `yaml:"queryParams"`
ReturnFullError bool `yaml:"returnFullError"`
DisableSslVerification bool `yaml:"disableSslVerification"`
AllowedIPRanges []string `yaml:"allowedIpRanges"`
CustomBlockedIPRanges []string `yaml:"customBlockedIpRanges"`
AllowPrivateNetworks bool `yaml:"allowPrivateNetworks"`
}
func (r Config) SourceConfigType() string {
return SourceType
}
// Initialize initializes an HTTP Source instance.
func (r Config) Initialize(ctx context.Context, tracer trace.Tracer) (sources.Source, error) {
duration, err := time.ParseDuration(r.Timeout)
if err != nil {
return nil, fmt.Errorf("unable to parse Timeout string as time.Duration: %s", err)
}
var tr *http.Transport
if defaultTr, ok := http.DefaultTransport.(*http.Transport); ok {
tr = defaultTr.Clone()
} else {
tr = &http.Transport{}
}
logger, err := util.LoggerFromContext(ctx)
if err != nil {
return nil, fmt.Errorf("unable to get logger from ctx: %s", err)
}
if r.DisableSslVerification {
tr.TLSClientConfig = &tls.Config{
InsecureSkipVerify: true,
}
logger.WarnContext(ctx, "WARNING: TLS certificate verification is skipped (InsecureSkipVerify: true) for HTTP source %s. This exposes all traffic for this source to Man-in-the-Middle (MITM) attacks. Do not use in production.", r.Name)
}
// Validate BaseURL
parsedURL, err := url.ParseRequestURI(r.BaseURL)
if err != nil {
return nil, fmt.Errorf("failed to parse BaseUrl %v", err)
}
allowedRanges, err := parseCIDRs(r.AllowedIPRanges)
if err != nil {
return nil, fmt.Errorf("invalid allowedIpRanges: %w", err)
}
customBlocked, err := parseCIDRs(r.CustomBlockedIPRanges)
if err != nil {
return nil, fmt.Errorf("invalid customBlockedIpRanges: %w", err)
}
guard := &SSRFGuard{
AllowPrivateNetworks: r.AllowPrivateNetworks,
AllowedRanges: allowedRanges,
CustomBlocked: customBlocked,
}
// Quick fast-fail check for direct IP configurations in the YAML
if ip := net.ParseIP(parsedURL.Hostname()); ip != nil {
if guard.IsIPBlocked(ip) {
return nil, fmt.Errorf("invalid BaseURL %s: points to a blocked internal IP address", r.BaseURL)
}
}
client, err := createHTTPClient(duration, tr, guard, nil)
if err != nil {
return nil, fmt.Errorf("failed to create secure HTTP client: %w", err)
}
ua, err := util.UserAgentFromContext(ctx)
if err != nil {
fmt.Printf("Error in User Agent retrieval: %s", err)
}
if r.DefaultHeaders == nil {
r.DefaultHeaders = make(map[string]string)
}
if existingUA, ok := r.DefaultHeaders["User-Agent"]; ok {
ua = ua + " " + existingUA
}
r.DefaultHeaders["User-Agent"] = ua
s := &Source{
Config: r,
client: client,
}
return s, nil
}
var _ sources.Source = &Source{}
type Source struct {
Config
client *http.Client
}
func (s *Source) SourceType() string {
return SourceType
}
func (s *Source) ToConfig() sources.SourceConfig {
return s.Config
}
func (s *Source) HttpDefaultHeaders() map[string]string {
return s.DefaultHeaders
}
func (s *Source) HttpBaseURL() string {
return s.BaseURL
}
func (s *Source) HttpQueryParams() map[string]string {
return s.QueryParams
}
func (s *Source) Client() *http.Client {
return s.client
}
func (s *Source) RunRequest(ctx context.Context, req *http.Request) (any, error) {
// Make request and fetch response
resp, err := s.Client().Do(req)
if err != nil {
return nil, fmt.Errorf("error making HTTP request: %s", err)
}
defer resp.Body.Close()
var body []byte
body, err = io.ReadAll(resp.Body)
if err != nil {
return nil, err
}
if resp.StatusCode < 200 || resp.StatusCode > 299 {
if s.ReturnFullError {
return nil, fmt.Errorf("unexpected status code: %d, response body: %s", resp.StatusCode, string(body))
}
logger, err := util.LoggerFromContext(ctx)
if err != nil {
return nil, fmt.Errorf("unable to get logger from ctx: %s", err)
}
logger.DebugContext(ctx, "http source upstream error", "status", resp.StatusCode, "body", truncateForLog(body, maxErrorBodyLogBytes))
statusText := http.StatusText(resp.StatusCode)
if statusText != "" {
return nil, fmt.Errorf("unexpected status code: %d (%s)", resp.StatusCode, statusText)
}
return nil, fmt.Errorf("unexpected status code: %d", resp.StatusCode)
}
var data any
if err = json.Unmarshal(body, &data); err != nil {
// if unable to unmarshal data, return result as string.
return string(body), nil
}
return data, nil
}
func truncateForLog(body []byte, limit int) string {
if limit <= 0 || len(body) == 0 {
return ""
}
if len(body) <= limit {
return string(body)
}
return fmt.Sprintf("%s...(%d bytes truncated)", string(body[:limit]), len(body)-limit)
}
type dnsResolver interface {
LookupHost(ctx context.Context, host string) ([]string, error)
}
// SSRFGuard manages network boundaries for the HTTP client
type SSRFGuard struct {
AllowPrivateNetworks bool
AllowedRanges []*net.IPNet
CustomBlocked []*net.IPNet
Resolver dnsResolver
}
func (g *SSRFGuard) IsIPBlocked(ip net.IP) bool {
// Check explicit whitelist overrides first
for _, r := range g.AllowedRanges {
if r.Contains(ip) {
return false
}
}
// Check explicit custom blacklists
for _, r := range g.CustomBlocked {
if r.Contains(ip) {
return true
}
}
// Default strict RFC 1918 / Link-Local / Loopback protection
if !g.AllowPrivateNetworks {
if !ip.IsGlobalUnicast() || ip.IsPrivate() {
return true
}
}
return false
}
func parseCIDRs(list []string) ([]*net.IPNet, error) {
var nets []*net.IPNet
for _, entry := range list {
entry = strings.TrimSpace(entry)
if entry == "" {
continue
}
// If it is a single IP address (does not contain a slash), we can append /32 or /128
if !strings.Contains(entry, "/") {
ip := net.ParseIP(entry)
if ip != nil {
if ip.To4() != nil {
entry = entry + "/32"
} else {
entry = entry + "/128"
}
}
}
_, ipNet, err := net.ParseCIDR(entry)
if err != nil {
return nil, fmt.Errorf("invalid CIDR or IP address %q: %w", entry, err)
}
nets = append(nets, ipNet)
}
return nets, nil
}
func createHTTPClient(duration time.Duration, tr *http.Transport, guard *SSRFGuard, res dnsResolver) (*http.Client, error) {
if res != nil {
guard.Resolver = res
}
resolver := guard.Resolver
if resolver == nil {
resolver = net.DefaultResolver
}
dialer := &net.Dialer{
Timeout: 30 * time.Second,
KeepAlive: 30 * time.Second,
Control: func(network, address string, c syscall.RawConn) error {
host, _, err := net.SplitHostPort(address)
if err != nil {
return err
}
ip := net.ParseIP(host)
if ip != nil {
if guard.IsIPBlocked(ip) {
return fmt.Errorf("connection to blocked IP %s denied", ip)
}
}
return nil
},
}
if r, ok := resolver.(*net.Resolver); ok {
dialer.Resolver = r
}
tr.DialContext = dialer.DialContext
client := &http.Client{
Timeout: duration,
Transport: tr,
CheckRedirect: func(req *http.Request, via []*http.Request) error {
if len(via) >= 10 {
return fmt.Errorf("stopped after 10 redirects")
}
hostname := req.URL.Hostname()
if ip := net.ParseIP(hostname); ip != nil {
if guard.IsIPBlocked(ip) {
return fmt.Errorf("redirect to blocked IP %s denied", ip)
}
return nil
}
addrs, err := resolver.LookupHost(req.Context(), hostname)
if err != nil {
return fmt.Errorf("failed to resolve redirect host %s: %w", hostname, err)
}
for _, addr := range addrs {
if ip := net.ParseIP(addr); ip != nil {
if guard.IsIPBlocked(ip) {
return fmt.Errorf("redirect host %s resolves to blocked IP %s", hostname, addr)
}
}
}
return nil
},
}
return client, nil
}