security(operator): validate LLM base URL and audit changes

cbullinger · cbullinger · commit 85e01e19eb48 · 2026-04-30T11:50:15.000-04:00
A RoleOperator could redirect the Anthropic base URL to any host via
POST /operator/api/llm/settings, exfiltrating the bearer credential on the
next ping or /suggest-rule call. Address per review feedback:

- validateLLMBaseURL enforces https for Anthropic (+ any non-Ollama
  provider), rejects userinfo / opaque URIs, and honours an optional host
  allowlist via LLM_BASE_URL_ALLOWED_HOSTS.
- handleLLMSettings now persists a config_change AuditEvent (actor =
  GitHub login, old/new base URL + model) so changes are detectable
  after the fact.
- AuditEvent gains an Actor field; AuditLogger gains LogConfigChangeEvent.
diff --git a/services/audit_logger.go b/services/audit_logger.go
@@ -14,27 +14,31 @@ import (
 type AuditEventType string
 
 const (
-	AuditEventCopy        AuditEventType = "copy"
-	AuditEventDeprecation AuditEventType = "deprecation"
-	AuditEventError       AuditEventType = "error"
+	AuditEventCopy         AuditEventType = "copy"
+	AuditEventDeprecation  AuditEventType = "deprecation"
+	AuditEventError        AuditEventType = "error"
+	AuditEventConfigChange AuditEventType = "config_change"
 )
 
 // AuditEvent represents an audit log entry
 type AuditEvent struct {
-	ID             string         `bson:"_id,omitempty" json:"id,omitempty"`
-	Timestamp      time.Time      `bson:"timestamp" json:"timestamp"`
-	EventType      AuditEventType `bson:"event_type" json:"event_type"`
-	RuleName       string         `bson:"rule_name,omitempty" json:"rule_name,omitempty"`
-	SourceRepo     string         `bson:"source_repo" json:"source_repo"`
-	SourcePath     string         `bson:"source_path" json:"source_path"`
-	TargetRepo     string         `bson:"target_repo,omitempty" json:"target_repo,omitempty"`
-	TargetPath     string         `bson:"target_path,omitempty" json:"target_path,omitempty"`
-	CommitSHA      string         `bson:"commit_sha,omitempty" json:"commit_sha,omitempty"`
-	PRNumber       int            `bson:"pr_number,omitempty" json:"pr_number,omitempty"`
-	Success        bool           `bson:"success" json:"success"`
-	ErrorMessage   string         `bson:"error_message,omitempty" json:"error_message,omitempty"`
-	DurationMs     int64          `bson:"duration_ms,omitempty" json:"duration_ms,omitempty"`
-	FileSize       int64          `bson:"file_size,omitempty" json:"file_size,omitempty"`
+	ID           string         `bson:"_id,omitempty" json:"id,omitempty"`
+	Timestamp    time.Time      `bson:"timestamp" json:"timestamp"`
+	EventType    AuditEventType `bson:"event_type" json:"event_type"`
+	RuleName     string         `bson:"rule_name,omitempty" json:"rule_name,omitempty"`
+	SourceRepo   string         `bson:"source_repo" json:"source_repo"`
+	SourcePath   string         `bson:"source_path" json:"source_path"`
+	TargetRepo   string         `bson:"target_repo,omitempty" json:"target_repo,omitempty"`
+	TargetPath   string         `bson:"target_path,omitempty" json:"target_path,omitempty"`
+	CommitSHA    string         `bson:"commit_sha,omitempty" json:"commit_sha,omitempty"`
+	PRNumber     int            `bson:"pr_number,omitempty" json:"pr_number,omitempty"`
+	Success      bool           `bson:"success" json:"success"`
+	ErrorMessage string         `bson:"error_message,omitempty" json:"error_message,omitempty"`
+	DurationMs   int64          `bson:"duration_ms,omitempty" json:"duration_ms,omitempty"`
+	FileSize     int64          `bson:"file_size,omitempty" json:"file_size,omitempty"`
+	// Actor identifies the GitHub login responsible for an operator-initiated
+	// event (e.g. an LLM settings change). Empty for webhook-driven copies.
+	Actor          string         `bson:"actor,omitempty" json:"actor,omitempty"`
 	AdditionalData map[string]any `bson:"additional_data,omitempty" json:"additional_data,omitempty"`
 }
 
@@ -43,6 +47,10 @@ type AuditLogger interface {
 	LogCopyEvent(ctx context.Context, event *AuditEvent) error
 	LogDeprecationEvent(ctx context.Context, event *AuditEvent) error
 	LogErrorEvent(ctx context.Context, event *AuditEvent) error
+	// LogConfigChangeEvent records an operator-initiated configuration change
+	// (e.g. LLM base URL or active model). Used for after-the-fact detection
+	// of suspicious changes — the event captures who, what, and old→new value.
+	LogConfigChangeEvent(ctx context.Context, event *AuditEvent) error
 	GetRecentEvents(ctx context.Context, limit int) ([]AuditEvent, error)
 	GetFailedEvents(ctx context.Context, limit int) ([]AuditEvent, error)
 	GetEventsByRule(ctx context.Context, ruleName string, limit int) ([]AuditEvent, error)
@@ -183,6 +191,14 @@ func (mal *MongoAuditLogger) LogErrorEvent(ctx context.Context, event *AuditEven
 	return err
 }
 
+// LogConfigChangeEvent logs an operator-initiated configuration change.
+func (mal *MongoAuditLogger) LogConfigChangeEvent(ctx context.Context, event *AuditEvent) error {
+	event.EventType = AuditEventConfigChange
+	event.Timestamp = time.Now()
+	_, err := mal.collection.InsertOne(ctx, event)
+	return err
+}
+
 // QueryAuditEvents retrieves audit events matching the given filter criteria.
 func (mal *MongoAuditLogger) QueryAuditEvents(ctx context.Context, q AuditListQuery) ([]AuditEvent, error) {
 	limit := q.Limit
@@ -362,6 +378,9 @@ func (nal *NoOpAuditLogger) LogDeprecationEvent(ctx context.Context, event *Audi
 	return nil
 }
 func (nal *NoOpAuditLogger) LogErrorEvent(ctx context.Context, event *AuditEvent) error { return nil }
+func (nal *NoOpAuditLogger) LogConfigChangeEvent(ctx context.Context, event *AuditEvent) error {
+	return nil
+}
 func (nal *NoOpAuditLogger) GetRecentEvents(ctx context.Context, limit int) ([]AuditEvent, error) {
 	return []AuditEvent{}, nil
 }
diff --git a/services/operator_llm_admin.go b/services/operator_llm_admin.go
@@ -7,10 +7,96 @@ import (
 	"fmt"
 	"io"
 	"net/http"
+	"net/url"
+	"os"
 	"strings"
 	"time"
 )
 
+// llmBaseURLAllowedHostsEnv lets deployments pin the set of hosts an operator
+// can route the LLM client at (comma-separated, host[:port], case-insensitive).
+// Unset = no host pinning; scheme rules below still apply.
+const llmBaseURLAllowedHostsEnv = "LLM_BASE_URL_ALLOWED_HOSTS"
+
+// validateLLMBaseURL enforces scheme + host rules on operator-supplied LLM base
+// URLs. Hosted providers (anthropic) ship a bearer credential to whatever host
+// the client points at, so we require https and reject userinfo / opaque URIs;
+// otherwise a malicious operator could exfiltrate the API key by setting the
+// base URL to a host they control. Ollama is exempt from the https requirement
+// because the legitimate default is http://localhost:11434 for local dev.
+//
+// Returns the cleaned URL (trailing slash trimmed) or an error suitable for a
+// 400 response. allowedHosts may be empty to skip host pinning.
+func validateLLMBaseURL(provider, raw string, allowedHosts []string) (string, error) {
+	raw = strings.TrimSpace(raw)
+	if raw == "" {
+		return "", fmt.Errorf("base_url is required")
+	}
+	u, err := url.Parse(raw)
+	if err != nil {
+		return "", fmt.Errorf("base_url is not a valid URL: %w", err)
+	}
+	if u.Scheme == "" || u.Host == "" {
+		return "", fmt.Errorf("base_url must be an absolute URL with scheme and host")
+	}
+	// Reject userinfo (https://attacker@victim.com/) and opaque forms — both
+	// confuse host-based allowlisting and have no legitimate use here.
+	if u.User != nil {
+		return "", fmt.Errorf("base_url must not contain userinfo")
+	}
+	if u.Opaque != "" {
+		return "", fmt.Errorf("base_url must not be opaque")
+	}
+	scheme := strings.ToLower(u.Scheme)
+	prov := strings.ToLower(strings.TrimSpace(provider))
+	switch prov {
+	case "anthropic":
+		if scheme != "https" {
+			return "", fmt.Errorf("base_url for anthropic must use https (got %q)", scheme)
+		}
+	case "", "ollama":
+		// Local dev commonly uses http://localhost:11434.
+		if scheme != "http" && scheme != "https" {
+			return "", fmt.Errorf("base_url must use http or https (got %q)", scheme)
+		}
+	default:
+		if scheme != "https" {
+			return "", fmt.Errorf("base_url must use https (got %q)", scheme)
+		}
+	}
+	if len(allowedHosts) > 0 {
+		host := strings.ToLower(u.Host)
+		ok := false
+		for _, h := range allowedHosts {
+			if strings.EqualFold(strings.TrimSpace(h), host) {
+				ok = true
+				break
+			}
+		}
+		if !ok {
+			return "", fmt.Errorf("base_url host %q is not in the allowlist", u.Host)
+		}
+	}
+	return strings.TrimSuffix(raw, "/"), nil
+}
+
+// llmBaseURLAllowedHosts reads and parses LLM_BASE_URL_ALLOWED_HOSTS. Returns
+// nil when unset so callers know to skip host pinning.
+func llmBaseURLAllowedHosts() []string {
+	raw := strings.TrimSpace(os.Getenv(llmBaseURLAllowedHostsEnv))
+	if raw == "" {
+		return nil
+	}
+	parts := strings.Split(raw, ",")
+	out := make([]string, 0, len(parts))
+	for _, p := range parts {
+		if p = strings.TrimSpace(p); p != "" {
+			out = append(out, p)
+		}
+	}
+	return out
+}
+
 // handleLLMStatus returns the current LLM settings, reachability, and installed models.
 func (o *operatorUI) handleLLMStatus(w http.ResponseWriter, r *http.Request) {
 	if r.Method != http.MethodGet {
@@ -91,27 +177,91 @@ func (o *operatorUI) handleLLMSettings(w http.ResponseWriter, r *http.Request) {
 		_ = json.NewEncoder(w).Encode(map[string]string{"error": "invalid json"})
 		return
 	}
+	// Capture pre-change state for the audit record. This must happen before
+	// any setter call so the "before" value reflects what the operator changed
+	// from, not what they changed to.
+	oldModel := o.llm.GetActiveModel()
+	oldBaseURL := o.llm.GetBaseURL()
 	changed := false
-	if m := strings.TrimSpace(req.ActiveModel); m != "" {
+	newModel := oldModel
+	newBaseURL := oldBaseURL
+	if m := strings.TrimSpace(req.ActiveModel); m != "" && m != oldModel {
 		o.llm.SetActiveModel(m)
+		newModel = o.llm.GetActiveModel()
 		changed = true
 	}
 	if u := strings.TrimSpace(req.BaseURL); u != "" {
-		o.llm.SetBaseURL(u)
-		changed = true
+		// Validate before applying. The Anthropic client ships the bearer
+		// credential to whatever host the base URL points at — without
+		// scheme/host validation, an operator could redirect the credential
+		// to a host they control.
+		cleaned, err := validateLLMBaseURL(o.cfg.LLMProvider, u, llmBaseURLAllowedHosts())
+		if err != nil {
+			w.WriteHeader(http.StatusBadRequest)
+			_ = json.NewEncoder(w).Encode(map[string]string{"error": err.Error()})
+			return
+		}
+		if cleaned != oldBaseURL {
+			o.llm.SetBaseURL(cleaned)
+			newBaseURL = o.llm.GetBaseURL()
+			changed = true
+		}
 	}
 	// Invalidate the ping cache on mutation so the next /llm/status call
 	// re-checks liveness against the new config — otherwise an operator
 	// flipping the URL sees a stale "connected" line for up to 30s.
 	if changed {
 		o.llmPing.invalidate()
+		o.recordLLMSettingsAudit(r, oldBaseURL, newBaseURL, oldModel, newModel)
 	}
 	_ = json.NewEncoder(w).Encode(map[string]any{
 		"active_model": o.llm.GetActiveModel(),
 		"base_url":     o.llm.GetBaseURL(),
 	})
 }
 
+// recordLLMSettingsAudit emits a structured log line and (when MongoDB audit
+// logging is enabled) persists a config_change event capturing who changed
+// what. This is the detection backstop for the SetBaseURL credential-exfil
+// risk: scheme/host validation blocks the obvious cases, but a persisted
+// trail of every successful change lets responders spot abuse after the fact.
+func (o *operatorUI) recordLLMSettingsAudit(r *http.Request, oldBaseURL, newBaseURL, oldModel, newModel string) {
+	actor := ""
+	if u := operatorUserFromCtx(r); u != nil {
+		actor = u.Login
+	}
+	LogInfo("operator changed LLM settings",
+		"actor", actor,
+		"provider", o.cfg.LLMProvider,
+		"old_base_url", oldBaseURL,
+		"new_base_url", newBaseURL,
+		"old_model", oldModel,
+		"new_model", newModel,
+	)
+	if o.container == nil || o.container.AuditLogger == nil {
+		return
+	}
+	// Use a detached short-timeout context: writing the audit row must not
+	// fail just because the client disconnected after receiving the 200.
+	ctx, cancel := context.WithTimeout(context.Background(), 5*time.Second)
+	defer cancel()
+	ev := &AuditEvent{
+		Actor:   actor,
+		Success: true,
+		AdditionalData: map[string]any{
+			"setting":      "llm",
+			"provider":     o.cfg.LLMProvider,
+			"old_base_url": oldBaseURL,
+			"new_base_url": newBaseURL,
+			"old_model":    oldModel,
+			"new_model":    newModel,
+		},
+	}
+	if err := o.container.AuditLogger.LogConfigChangeEvent(ctx, ev); err != nil {
+		LogWarning("audit LogConfigChangeEvent failed", "error", err)
+	}
+}
+
 // handleLLMDeleteModel deletes a model from the LLM server.
 func (o *operatorUI) handleLLMDeleteModel(w http.ResponseWriter, r *http.Request) {
 	if r.Method != http.MethodDelete {
diff --git a/services/operator_llm_admin_test.go b/services/operator_llm_admin_test.go
