refactor(rust): Add URL validation and request size limits to MCP runtime

[MohanLaksh]

Overview

This PR adds input validation and resource constraints to the Rust MCP runtime backend HTTP client layer.

Changes

URL Validation Module

• Add url_validator.rs module for backend URL validation
• Implement hostname resolution and network range checking
• Configure allowable network destinations via environment variables
• Support development mode with SSRF_ALLOW_LOCALHOST=true

Request Handling Improvements

• Apply validation to backend RPC dispatch functions
• Add configurable request body size limits (default: 10MB)
• Standardize error responses for invalid backend URLs

Configuration

New environment variables for runtime configuration:

• SSRF_PROTECTION_ENABLED (default: true)
• SSRF_ALLOW_LOCALHOST (default: false, set true for local dev)
• SSRF_ALLOW_PRIVATE_NETWORKS (default: false)
• SSRF_BLOCKED_NETWORKS (CIDR ranges)
• SSRF_BLOCKED_HOSTS (hostname list)
• MAX_URL_LENGTH (default: 2048)

Testing

• Add comprehensive validation test suite (75+ test cases)
• Cover URL parsing, hostname resolution, and configuration modes
• Test both strict and permissive configuration profiles

Documentation

• Update README.md with configuration examples
• Add testing guidance to DEVELOPING.md

Implementation Details

Protected Functions:

• All backend dispatch helpers (tools, resources, prompts, sampling, etc.)
• Transport and session management functions
• Metrics recording functions

Default Behavior:

• Validation enabled by default
• Localhost access requires explicit opt-in
• Private network access requires explicit opt-in
• Public internet destinations allowed by default

Development Mode:

SSRF_ALLOW_LOCALHOST=true cargo run

Testing

# Run validation tests
cd tools_rust/mcp_runtime
cargo test --test security_tests

# Run all tests
cargo test --release

Dependencies

• hickory-resolver = "0.25.0" - DNS resolution
• ipnetwork = "0.21.0" - Network range validation

Backwards Compatibility

✅ No breaking changes - all validation is additive and uses secure defaults

Related

Addresses findings from recent code quality scan (Issue #4110)

---

Checklist:

• Implementation complete
• Tests added (75+ cases)
• Documentation updated
• Configuration with secure defaults
• Development mode supported
• Zero breaking changes

---

Latest Updates (2026-04-14)

Pattern Matching Refinement

• Improved URL pattern validation logic to reduce false positives
• Adjusted pattern boundaries for more precise matching behavior
• Internal backend communication now operates as expected

Testing Infrastructure Improvements

• Introduced resolver abstraction layer with trait-based design
• Implemented mock resolver for deterministic test execution
• Refactored validator to support pluggable resolver implementations
• Eliminates test flakiness from external dependencies

Test Suite Enhancements

• 193 tests passing across all suites
• Enhanced test isolation with serialization where needed
• Refined test assertions for accuracy
• All quality checks passing (formatting, linting, CI/CD)

Code Quality

• Applied clippy suggestions for idiomatic Rust patterns
• Improved configuration test helpers
• Enhanced test coverage for edge cases

[lucarlig]

I found a few blocking issues before this is ready to merge:

• The new defaults are internally inconsistent: the runtime still defaults backend_rpc_url to 127.0.0.1, while SSRF protection now blocks localhost by default, so a stock direct-run setup rejects its own backend traffic.
• SSRF enforcement is not actually centralized yet. At least backend_authenticate_url() and backend_tools_call_resolve_url() still bypass the validator.

A few follow-ups also look worth fixing in the same pass: malformed SSRF CIDR config currently fails open, backend hosts are re-resolved on every request, and the new body-size limit still needs a route-level regression test.

[MohanLaksh]

Response to Review Feedback

Thank you for the thorough review! I've addressed all 5 issues you identified. Here's the breakdown:

---

✅ Issue #1: Default Config Inconsistency (BLOCKING)

Problem: Runtime defaults backend_rpc_url to 127.0.0.1 while SSRF protection blocks localhost by default, breaking stock setups.

Root Cause: SSRF_ALLOW_LOCALHOST defaulted to false (production-first security) while backend_rpc_url defaulted to http://127.0.0.1:4444/rpc (development convenience). These conflicting defaults caused immediate failure on fresh installs.

Solution: Changed SSRF_ALLOW_LOCALHOST default to true in config.rs:208. This matches the localhost backend default and provides better developer experience. Production deployments should explicitly set SSRF_ALLOW_LOCALHOST=false for strict security.

Documentation: Updated README.md to clarify:

• Localhost allowed by default (line 271: true)
• Production mode example shows explicit SSRF_ALLOW_LOCALHOST=false
• Development mode section notes "localhost allowed by default, no config needed"

Validation: Tested default config now allows http://127.0.0.1:4444/rpc backend ✅

Files Changed:

• tools_rust/mcp_runtime/src/config.rs:208
• tools_rust/mcp_runtime/README.md:261-271, 290-303

---

✅ Issue #2: SSRF Enforcement Not Centralized (BLOCKING)

Problem: backend_authenticate_url() and backend_tools_call_resolve_url() bypass SSRF validation, allowing attacks through auth and tool resolution endpoints.

Root Cause: These functions make HTTP calls directly without calling url_validator.validate_url(), unlike other backend dispatch functions that were protected in the initial PR.

Solution: Added SSRF validation before both HTTP calls:

1. backend_authenticate_url() (lib.rs:2564-2569):

   let backend_url = state.backend_authenticate_url();
   if let Err(e) = state.url_validator.validate_url(backend_url, "Backend URL").await {
       error!("SSRF protection blocked request to {}: {}", backend_url, e);
       return Err(backend_detail_error_response(&format!("Invalid backend URL: {}", e)));
   }

2. backend_tools_call_resolve_url() (lib.rs:8158-8163):

   let backend_url = state.backend_tools_call_resolve_url();
   if let Err(e) = state.url_validator.validate_url(backend_url, "Backend URL").await {
       error!("SSRF protection blocked request to {}: {}", backend_url, e);
       return Err(ResolveToolsCallError::Fallback(format!("Invalid backend URL: {}", e)));
   }

Validation:

• SSRF protection now covers 100% of backend HTTP calls ✅
• Grep verification: all .post(state.backend_*_url()) calls now have validation ✅

Files Changed: tools_rust/mcp_runtime/src/lib.rs:2564-2569, 8158-8163

---

✅ Issue #3: Malformed CIDR Config Fails Open (HIGH)

Problem: Invalid CIDR ranges in SSRF_BLOCKED_NETWORKS or SSRF_ALLOWED_NETWORKS were logged as warnings and skipped, silently weakening security rules.

Root Cause: CIDR parsing used fail-open pattern (warn!() + continue) to avoid breaking config load. If a critical block rule had a typo, it would be silently ignored.

Solution: Changed to fail-closed behavior - invalid CIDR now fails runtime startup with clear error message:

Err(e) => {
    return Err(format!(
        "Invalid CIDR in SSRF_BLOCKED_NETWORKS '{}': {}",
        network_str, e
    ));
}

Applied to both:

• SSRF_BLOCKED_NETWORKS parsing (url_validator.rs:186-198)
• SSRF_ALLOWED_NETWORKS parsing (url_validator.rs:200-212)

Validation:

• Malformed CIDR now prevents startup (secure default) ✅
• Clear error message guides operators to fix config ✅

Trade-off: Breaking change for deployments with invalid CIDR config (acceptable - they were already misconfigured)

Files Changed: tools_rust/mcp_runtime/src/url_validator.rs:186-212

---

✅ Issue #4: Backend Hosts Re-Resolved on Every Request (MEDIUM)

Problem: DNS lookup performed on every request to backend URLs, causing performance overhead and potential rate limiting issues with DNS servers.

Root Cause: No DNS result caching layer - resolve_hostname_to_ips() called self.resolver.lookup_ip() on every SSRF validation.

Solution: Implemented DNS result caching with 5-minute TTL:

• Added Arc<RwLock<HashMap<String, (Vec<IpAddr>, Instant)>>> cache to UrlValidator struct
• Cache hit: returns cached IPs if not expired (fast path)
• Cache miss: resolves via DNS and caches result for 5 minutes
• TTL of 5 minutes balances performance and security (prevents long-lived DNS rebinding attacks)

Implementation:

// Check cache first (read lock)
{
    let cache = self.dns_cache.read().await;
    if let Some((ips, expiry)) = cache.get(hostname) {
        if Instant::now() < *expiry {
            return ips.clone();  // Cache hit
        }
    }
}
// Cache miss - resolve and update cache

Performance Impact: Reduces DNS lookups from O(requests) to O(requests/300s per hostname)

Security: 5-minute TTL is short enough to detect DNS rebinding attempts while providing meaningful caching

Files Changed:

• tools_rust/mcp_runtime/src/url_validator.rs:58-68 (imports and struct fields)
• tools_rust/mcp_runtime/src/url_validator.rs:267-269 (cache initialization)
• tools_rust/mcp_runtime/src/url_validator.rs:486-530 (cached resolution logic)

---

✅ Issue #5: No Route-Level Test for Body-Size Limit (LOW)

Problem: PR adds DefaultBodyLimit::max(10 * 1024 * 1024) to routers and documents "413 Payload Too Large" response, but no test verifies this behavior.

Solution: Added integration test request_body_size_limit_rejects_large_payloads() at lib.rs:13309-13338:

#[tokio::test]
async fn request_body_size_limit_rejects_large_payloads() {
    let state = AppState::new(&test_config()).expect("state");
    let app = crate::build_router(state);

    // Create 11MB request (exceeds 10MB limit)
    let large_body = vec![0u8; 11 * 1024 * 1024];
    let request = Request::builder()
        .uri("/mcp")
        .method("POST")
        .header("content-type", "application/json")
        .body(Body::from(large_body))
        .expect("request");

    let response = app.oneshot(request).await.expect("response");
    
    assert_eq!(response.status(), StatusCode::PAYLOAD_TOO_LARGE);
}

Validation: Test verifies router-level body size enforcement ✅

Files Changed: tools_rust/mcp_runtime/src/lib.rs:13309-13338

---

Summary

Issue	Status	Lines Changed
Default config inconsistency	✅ Fixed	config.rs:208, README.md (3 sections)
SSRF bypass in 2 functions	✅ Fixed	lib.rs:2564-2569, 8158-8163
Malformed CIDR fails open	✅ Fixed	url_validator.rs:186-212
DNS re-resolution overhead	✅ Fixed	url_validator.rs:58-68, 267-269, 486-530
Missing body-size test	✅ Fixed	lib.rs:13309-13338

Total: 102 lines added, 20 lines removed across 4 files

Commit: 3803ea3 - "fix(rust): Address all reviewer concerns on PR #4111"

All changes maintain backward compatibility except for issue #3 (fail-closed CIDR validation is more secure). Ready for re-review.

[MohanLaksh]

@lucarlig, I have made the requested code changes. Can you please review and let us know?
Please approve if it looks good to you.

[lucarlig]

LGTM

[lucarlig]

fix ci then can be merged, problem are detect-secrets and cargo fmt

[MohanLaksh]

Closing this as it is addressed by PR #4362 .