406a79d9eb
backchannel_logout_uri was validated only for scheme/HTTPS, so an admin (or a compromised admin account) could point it at internal infrastructure — cloud metadata (169.254.169.254), loopback, or RFC1918 hosts — and every user logout would fire a server-side POST there. Add PrivateAddressCheck (app/lib) and apply it as defense-in-depth: - Application validation rejects URIs whose host is, or is a literal, internal address (loopback / private / link-local / 0.0.0.0 / localhost / metadata hostnames). Fast, DNS-free, immediate admin feedback. - BackchannelLogoutJob re-checks at request time WITH DNS resolution and aborts (no retry) if the host resolves to a non-public address — covering URIs that predate the validation and public hostnames pointed at internal IPs. Tests cover the address classification, the model validation, and updates an existing test that used a localhost logout URI. Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
2.5 KiB
2.5 KiB