fix(backend): tighten service-creation input validation by kaiweijw · Pull Request #612 · ChronoAIProject/NyxID

kaiweijw · 2026-05-04T07:03:40Z

Summary

[Bug] [CLI Wizard] Hosted custom services allow unsafe or ambiguous endpoint URLs #597 (SSRF / ambiguous URL): Add validate_user_endpoint_url(url, hosted_mode, field) that always rejects query / fragment / userinfo / non-http(s) / over-2048-char URLs, and additionally rejects loopback / private / link-local / CGNAT / cloud-metadata targets via DNS resolution when running in production. Wired into POST /keys (catalog override + custom HTTP), PUT /keys/{id}, and PUT /endpoints/{id}. Skipped when the route is node-managed (the URL goes to the node agent, never to NyxID's outbound HTTP client).
[Bug] [CLI Wizard] Header-auth custom service can be created with an empty auth key name #598 (empty auth_key_name): Extend the existing body-only check to cover header, query, and path methods as well (the proxy needs a non-empty key name for all four to inject the credential into a named field). Centralized the rule in auth_method_requires_key_name / auth_key_name_required_message helpers and applied it in create_user_service, update_user_service, validate_update_inputs, admin POST /services, and unified_key_service::create_key (the last one rejects before any partial endpoint / api-key rows are written, avoiding orphans).

closes #597
closes #598

The strict (hosted-mode) URL guard delegates to the existing validate_public_http_url helper, which already does the DNS-resolution / IP-class checks and is tested.
create_key gained a new hosted_mode: bool parameter populated from state.config.is_production(). In-tree tests pass false (so they continue exercising the lax dev path).
The auth_key_name check now uses .trim().is_empty(), so a whitespace-only auth_key_name: " " is rejected too.

cargo test (passes: 1790 backend + 277 CLI + 1 freshness)
Manual [Bug] [CLI Wizard] Hosted custom services allow unsafe or ambiguous endpoint URLs #597 regression: nyxid service add --custom --slug qa-cliw-local --label "QA local" --endpoint-url http://localhost:9999 --auth-method none --base-url <hosted> --output json returns 400 ValidationError instead of silently creating the service.
Manual [Bug] [CLI Wizard] Hosted custom services allow unsafe or ambiguous endpoint URLs #597 regression: --endpoint-url 'https://httpbin.org/anything?x=1' returns 400 endpoint_url must not contain a query string.
Manual [Bug] [CLI Wizard] Hosted custom services allow unsafe or ambiguous endpoint URLs #597 self-hosted regression: same --endpoint-url http://localhost:9999 against a non-production backend still succeeds (dev workflow preserved).
Manual [Bug] [CLI Wizard] Header-auth custom service can be created with an empty auth key name #598 regression: nyxid service add --custom ... --auth-method header --auth-key-name '' --credential-env QA_TOKEN ... returns 400 ValidationError at create time instead of HTTP 500 on first proxy call.
Manual [Bug] [CLI Wizard] Header-auth custom service can be created with an empty auth key name #598 regression: auth-method query/path with empty key name also rejected.
Regression: existing bearer / basic / none services with empty auth_key_name still create successfully (the methods that don't need a key name).

kaiweijw added 2 commits May 4, 2026 14:58

fix(backend): reject unsafe custom endpoint URLs in hosted mode (#597)

9b5feb6

fix(backend): require auth_key_name for header query path body methods (

5515983

#598)

kaiweijw merged commit 94344e6 into main May 4, 2026
10 checks passed

kaiweijw deleted the fix/service-creation-validation branch May 4, 2026 07:14