Skip to content

fix: respect SSRF_Allowlist in Custom OAuth token exchange#41333

Open
prathamesh04 wants to merge 3 commits into
RocketChat:developfrom
prathamesh04:fix/custom-oauth-ssrf-allowlist
Open

fix: respect SSRF_Allowlist in Custom OAuth token exchange#41333
prathamesh04 wants to merge 3 commits into
RocketChat:developfrom
prathamesh04:fix/custom-oauth-ssrf-allowlist

Conversation

@prathamesh04

@prathamesh04 prathamesh04 commented Jul 13, 2026

Copy link
Copy Markdown

Proposed changes

The Custom OAuth provider's getAccessToken, getIdentity, and getEmailFromPath methods bypassed SSRF validation entirely (ignoreSsrfValidation: true). This meant the SSRF_Allowlist admin setting was completely ignored during OAuth token exchanges, identity lookups, and email fetches.

This makes it impossible to use Custom OAuth with an identity provider on a private IP (e.g. 192.168.x.x, 10.x.x.x) in self-hosted/homelab deployments, even when the administrator has explicitly allowlisted the host in Administration > Settings > General > SSRF Protection > SSRF Allowlist.

Fix: Change all three fetch() calls from ignoreSsrfValidation: true to ignoreSsrfValidation: false, allowList: settings.get('SSRF_Allowlist') — the same pattern used by every other server-side fetch call in the codebase (avatar providers, OEmbed, Apps Engine HTTP bridge, marketplace, etc.).

This preserves SSRF protection (private IPs are blocked by default) while allowing admins to explicitly permit their internal IdPs via the allowlist.

Types of changes

  • Bugfix (non-breaking change which fixes an issue)

Checklist

  • I have read the CONTRIBUTING doc
  • I have signed the CLA
  • Lint and unit tests pass locally with my changes
  • I have added tests that prove my fix is effective or that my feature works
  • I have added necessary documentation (if applicable)

Further comments

Issue: Closes #40586

Affected methods:

  • getAccessToken — token exchange POST to the OAuth provider
  • getIdentity — GET user profile from the OAuth provider
  • getEmailFromPath — GET user emails from the OAuth provider

Before: Admin adds idp.local to SSRF Allowlist → Custom OAuth login still fails with error-ssrf-validation-failed

After: SSRF validation runs and respects the allowlist → private-IP IdPs work when explicitly permitted

Review in cubic

Summary by CodeRabbit

  • Bug Fixes

    • Improved auto-translation callback cleanup to ensure consistent behavior when auto-translate is turned off.
  • Security Enhancements

    • Strengthened custom OAuth outbound requests with SSRF protection, restricting token, identity, and email lookups to the configured allowlist.

…ring

When switching AutoTranslate providers, the old callback was not being
removed because callbacks.add() with an existing ID silently returns
a removal function instead of replacing. This caused translations to
continue using the old provider until server restart.

Fixes RocketChat#41197
The Custom OAuth provider bypassed SSRF validation entirely
(ignoreSsrfValidation: true) in getAccessToken, getIdentity, and
getEmailFromPath. This prevented admins from using private-IP IdPs
(e.g. Keycloak at 192.168.x.x) even when explicitly allowlisting
them in Administration > Settings > General > SSRF Protection.

All other server-side fetch calls in the codebase pass the
SSRF_Allowlist setting as the allowList option. Apply the same
pattern to Custom OAuth so SSRF protection is enforced while
the allowlist is respected.

Signed-off-by: Prathamesh Hukkeri <prathamesh04@users.noreply.github.com>
@dionisio-bot

dionisio-bot Bot commented Jul 13, 2026

Copy link
Copy Markdown
Contributor

Looks like this PR is not ready to merge, because of the following issues:

  • This PR is missing the 'stat: QA assured' label
  • This PR is missing the required milestone or project

Please fix the issues and try again

If you have any trouble, please check the PR guidelines

@changeset-bot

changeset-bot Bot commented Jul 13, 2026

Copy link
Copy Markdown

⚠️ No Changeset found

Latest commit: 373fe74

Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.

This PR includes no changesets

When changesets are added to this PR, you'll see the packages that this PR includes changesets for and the associated semver types

Click here to learn what changesets are, and how to add one.

Click here if you're a maintainer who wants to add a changeset to this PR

@prathamesh04

Copy link
Copy Markdown
Author

cc @tassoevan This fixes the SSRF bypass in Custom OAuth — all other fetch calls in the codebase already pass the allowlist. Would appreciate a review when you get a chance.

@coderabbitai

coderabbitai Bot commented Jul 13, 2026

Copy link
Copy Markdown
Contributor

Review Change Stack

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info
⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: f7d0ebe6-371e-46ae-a771-2bb71a3281d3

📥 Commits

Reviewing files that changed from the base of the PR and between 3bac567 and 373fe74.

📒 Files selected for processing (1)
  • apps/meteor/app/custom-oauth/server/custom_oauth_server.js
💤 Files with no reviewable changes (1)
  • apps/meteor/app/custom-oauth/server/custom_oauth_server.js
📜 Recent review details
⏰ Context from checks skipped due to timeout. (1)
  • GitHub Check: cubic · AI code reviewer

Walkthrough

Custom OAuth token, identity, and email requests now apply SSRF validation with the configured allowlist. Auto-translate deregisters its message callback before checking whether translation is enabled.

Changes

Custom OAuth SSRF protection

Layer / File(s) Summary
Custom OAuth fetch validation
apps/meteor/app/custom-oauth/server/custom_oauth_server.js
Token, identity, and email endpoint requests enable SSRF validation and pass settings.get('SSRF_Allowlist').

Auto-translate callback cleanup

Layer / File(s) Summary
Callback deregistration order
apps/meteor/app/autotranslate/server/autotranslate.ts
The existing afterSaveMessage callback is removed before the provider-enabled check and disabled early return.

Estimated code review effort: 2 (Simple) | ~10 minutes

Suggested labels: type: bug

Suggested reviewers: tassoevan

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name Status Explanation Resolution
Out of Scope Changes check ⚠️ Warning The autotranslate callback deregistration change is unrelated to the SSRF allowlist fix and appears out of scope. Remove the autotranslate change or split it into a separate PR focused on that behavior.
✅ Passed checks (4 passed)
Check name Status Explanation
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Title check ✅ Passed The title clearly matches the main Custom OAuth SSRF allowlist fix, though it only mentions token exchange.
Linked Issues check ✅ Passed The Custom OAuth fetch calls now pass the SSRF allowlist with validation enabled, satisfying #40586.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands.

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@apps/meteor/app/custom-oauth/server/custom_oauth_server.js`:
- Around line 187-188: Remove the newly added implementation comments near the
OAuth identity endpoint handling and the corresponding code at the second
referenced location, while leaving the SSRF validation behavior and its options
unchanged.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: e1b1e521-6069-4c2b-89f5-479daf0da087

📥 Commits

Reviewing files that changed from the base of the PR and between edbaeef and 3bac567.

📒 Files selected for processing (2)
  • apps/meteor/app/autotranslate/server/autotranslate.ts
  • apps/meteor/app/custom-oauth/server/custom_oauth_server.js
📜 Review details
⏰ Context from checks skipped due to timeout. (1)
  • GitHub Check: cubic · AI code reviewer
🧰 Additional context used
📓 Path-based instructions (1)
**/*.{ts,tsx,js}

📄 CodeRabbit inference engine (.cursor/rules/playwright.mdc)

**/*.{ts,tsx,js}: Write concise, technical TypeScript/JavaScript with accurate typing in Playwright tests
Avoid code comments in the implementation

Files:

  • apps/meteor/app/autotranslate/server/autotranslate.ts
  • apps/meteor/app/custom-oauth/server/custom_oauth_server.js
🧠 Learnings (3)
📚 Learning: 2026-02-26T19:25:44.063Z
Learnt from: gabriellsh
Repo: RocketChat/Rocket.Chat PR: 38778
File: packages/ui-voip/src/providers/useMediaSession.ts:192-192
Timestamp: 2026-02-26T19:25:44.063Z
Learning: In the Rocket.Chat repository, do not reference Biome lint rules in code review feedback. Biome is not used even if biome.json exists; only reference Biome rules if there is explicit, project-wide usage documented. For TypeScript files, review lint implications without Biome guidance unless the project enables Biome rules.

Applied to files:

  • apps/meteor/app/autotranslate/server/autotranslate.ts
📚 Learning: 2026-02-26T19:25:44.063Z
Learnt from: gabriellsh
Repo: RocketChat/Rocket.Chat PR: 38778
File: packages/ui-voip/src/providers/useMediaSession.ts:192-192
Timestamp: 2026-02-26T19:25:44.063Z
Learning: In this repository (RocketChat/Rocket.Chat), Biome lint rules are not used even if a biome.json exists. When reviewing TypeScript files (e.g., packages/ui-voip/src/providers/useMediaSession.ts), ensure lint suggestions do not reference Biome-specific rules. Rely on general ESLint/TypeScript lint rules and project conventions instead.

Applied to files:

  • apps/meteor/app/autotranslate/server/autotranslate.ts
📚 Learning: 2026-05-06T12:21:44.083Z
Learnt from: juliajforesti
Repo: RocketChat/Rocket.Chat PR: 40256
File: apps/meteor/client/components/CreateDiscussion/CreateDiscussion.tsx:121-149
Timestamp: 2026-05-06T12:21:44.083Z
Learning: Field wrappers in rocket.chat/fuselage-forms (Field, FieldLabel, FieldRow, FieldError, FieldHint) auto-create htmlFor/id associations, aria-describedby, and role="alert" for errors. Do not manually set htmlFor, id, aria-describedby, or role attributes when using these wrappers. This automatic wiring does not apply to plain rocket.chat/fuselage components, which require explicit ID wiring per the accessibility docs. In code reviews, prefer using fuselage-forms wrappers for form fields and verify there is no unnecessary manual ID/aria wiring in files that use these wrappers. If a component uses plain fuselage components, ensure proper id wiring as per docs.

Applied to files:

  • apps/meteor/app/autotranslate/server/autotranslate.ts
🔇 Additional comments (3)
apps/meteor/app/autotranslate/server/autotranslate.ts (1)

105-106: LGTM!

apps/meteor/app/custom-oauth/server/custom_oauth_server.js (2)

147-153: SSRF validation changes are correct and consistent across all three fetch calls.

All three Custom OAuth endpoint requests now properly enable SSRF validation (ignoreSsrfValidation: false) and pass the configured allowlist. The downstream getFetchAgentWithValidation in packages/server-fetch/src/index.ts confirms that when ignoreSsrfValidation is false, it calls checkForSsrfWithIp(url, allowList) and throws if the result is not allowed. This correctly addresses the issue objective of allowing private-IP identity providers when explicitly allowlisted.

Also applies to: 187-195, 301-308


149-149: 🔒 Security & Privacy

No action needed: apps/meteor/server/settings/general.ts registers SSRF_Allowlist as a string setting with '' as the default, so unset values are not an unexpected object/null case.

			> Likely an incorrect or invalid review comment.

Comment thread apps/meteor/app/custom-oauth/server/custom_oauth_server.js Outdated

@cubic-dev-ai cubic-dev-ai Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

No issues found across 2 files

Re-trigger cubic

@prathamesh04

Copy link
Copy Markdown
Author

Removed the code comments per the coding guidelines (see inline review feedback). This PR is ready for review — @RocketChat/backend could you take a look?

@prathamesh04

Copy link
Copy Markdown
Author

Hi @julio-rocketchat, could you please review this when you get a chance? Thanks!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Projects

None yet

Development

Successfully merging this pull request may close these issues.

Custom OAuth token exchange ignores SSRF_Allowlist setting

1 participant