Skip to content

Commit 83eab3a

Browse files
committed
fix(sandbox): update SSRF note and document two-step allowed_ips flow
Update the mechanistic mapper SSRF security note to reflect that proposals no longer populate allowed_ips — approving a proposal does not bypass SSRF protection. Clarify the two-step approval flow in architecture/security-policy.md. Signed-off-by: Russell Bryant <russell.bryant@gmail.com>
1 parent 1de8e7a commit 83eab3a

2 files changed

Lines changed: 6 additions & 1 deletion

File tree

architecture/security-policy.md

Lines changed: 5 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -72,6 +72,11 @@ recommendations:
7272
4. A human or admin workflow approves or rejects drafts.
7373
5. Approved drafts merge into the target sandbox policy.
7474

75+
Proposals intentionally omit `allowed_ips`. If a proposed rule targets a host
76+
that resolves to a private IP, the proxy's runtime SSRF classification blocks
77+
the connection. The operator must then add an explicit `allowed_ips` entry to
78+
permit it — a two-step flow that keeps SSRF protection on by default.
79+
7580
The advisor should propose narrow additions and preserve explicit-deny behavior.
7681
It is a workflow aid, not an automatic permission grant.
7782

crates/openshell-sandbox/src/mechanistic_mapper.rs

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -277,7 +277,7 @@ fn generate_security_notes(host: &str, port: u16, is_ssrf: bool) -> String {
277277
if is_ssrf {
278278
notes.push(
279279
"This connection was blocked by SSRF protection. \
280-
Allowing it bypasses internal-IP safety checks."
280+
Private IP access requires an explicit `allowed_ips` policy entry."
281281
.to_string(),
282282
);
283283
}

0 commit comments

Comments
 (0)