[Audit v2 #345] Reject non-loopback Host/Origin (DNS-rebinding guard) (#375)

* Reject non-loopback Host/Origin on WS + HTTP transports (audit-v2 #1)

Closes #345 — refs #343 (audit-v2 umbrella).

Both transports bound to 127.0.0.1, but a malicious browser tab could
mount **DNS rebinding**: resolve attacker.example.com to 127.0.0.1,
then `new WebSocket("ws://attacker.example.com:9500")`. The request
lands on our loopback socket carrying a non-localhost Host (and
Origin), the WS handshake registered the peer as a session, and any
MCP tool became drivable from a foreign origin — including write
tools.

The streamable-HTTP transport on :8000 had the same gap, including
`/godot-ai/status` (comment-marked "small unauthenticated probe").

Per the issue's "Fix shape": **strict Host/Origin allowlist in a
Starlette middleware ahead of FastMCP** plus a matching `process_request`
hook on the WebSocket server.

`src/godot_ai/transport/origin_guard.py` (new):

- `is_allowed_host` — accepts `127.0.0.1`, `localhost`, `[::1]` with
  optional `:port`; case-insensitive; bare `::1` rejected (RFC 7230
  requires bracketed IPv6 in Host).
- `is_allowed_origin` — None / empty / `null` accepted (native clients
  omit Origin; sandboxed/file:// emit `null`); otherwise must parse to
  a URL whose hostname is loopback. Schemes outside `http/https/ws/wss`
  rejected.
- `LocalhostOnlyHTTPMiddleware` — ASGI middleware. Rejects on first
  failure with HTTP 403; passes lifespan scopes through; handles
  duplicate-Host smuggling shapes (fail closed when the same header
  appears more than once).
- `make_websocket_request_guard()` — `process_request` hook for
  `websockets.asyncio.server.serve(...)` mirroring the same logic.
  Uses `headers.get_all` so a smuggled duplicate Host fails closed
  rather than tripping `MultipleValuesError` and surfacing as 500.

Wiring:

- `transport/websocket.py`: pass `process_request=` to `serve()`.
- `server.py`: outermost wrap on the HTTP app, applied to every
  HTTP transport (`http`, `streamable-http`, `sse`) so `/godot-ai/status`
  and the FastMCP endpoints are guarded uniformly.

Native clients keep working: the Godot plugin's WebSocketPeer sends
`Host: 127.0.0.1:<port>` and no Origin. Verified by smoke against a
real WebSocketServer (loopback connect → `handshake_ack`; rebound
Origin → 403) and against the streamable-HTTP transport
(`/godot-ai/status`: loopback → 200, `Host: attacker.example.com` → 403,
loopback Host + browser Origin → 403).

Tests:

- `tests/unit/test_origin_guard.py` (44 tests):
  parametrized helper coverage (loopback / sneaky-substring / IP /
  malformed / multiple smuggled values), middleware behavior, lifespan
  passthrough, `state` `__getattr__` passthrough.
- `tests/integration/test_websocket.py::TestDnsRebindingGuard` (5
  tests): live `websockets` server + client. Loopback succeeds,
  non-loopback Host returns 403, non-loopback Origin returns 403,
  loopback-shaped Origin succeeds, rejected request never registers
  a session.
- `tests/unit/test_asgi_session_diagnostics.py`: structural assertions
  updated for the new outer wrap; FastMCP `state` lookup now traverses
  one extra layer.
- `tests/unit/test_server_status.py`: `TestClient(base_url=...)` set
  to a loopback host so the request passes the new guard.

Test plan:
- ruff check + format: clean
- pytest -q: 825 passed (+45 new)
- script/ci-check-gdscript: clean (no GDScript touched)
- Live smoke: real `GodotWebSocketServer` and real streamable-HTTP
  app, loopback succeeds, non-loopback Host/Origin → 403.

Note: PR #366 (audit-v2 #2, session-hijack) closes the
duplicate-handshake takeover. This PR closes the rebinding-from-browser
path. Together they harden the WebSocket transport at both layers
(who can connect, and what they can do once they have).

* Simplify: extract evaluate_loopback so WS + HTTP guards can't drift

Both the WebSocket ``process_request`` hook and ``LocalhostOnlyHTTPMiddleware``
implemented the same 3-step rule (count duplicate headers → check
``is_allowed_host`` → check ``is_allowed_origin`` → 403) twice, with
slightly different intermediate state. Funnel both through one
``evaluate_loopback(hosts, origins) -> bool`` so a regression in one
transport cannot accidentally diverge from the other.

Drive-by:

- Decode FORBIDDEN_BODY once at module load (FORBIDDEN_BODY_TEXT) so
  the WS guard doesn't decode the same bytes per rejection.
- Drop redundant ``parsed.scheme.lower()`` — ``urlsplit`` already
  normalises the scheme per RFC 3986.

No behavior change. 825 tests pass.

* Address Copilot review: reject Origin: null + Sec-Fetch-Site cross-origin

Two browser-side liveness/bypass shapes that the first cut of the
loopback guard let through:

1. **``Origin: null``** (Copilot, origin_guard.py:85). Sandboxed
   ``<iframe sandbox>`` and downloaded ``file://`` pages serialize
   their origin as ``null``. The original guard accepted this on the
   theory that file:// /sandboxed contexts are "legitimate"; in
   practice they're exactly the bypass an attacker would use to bridge
   a foreign origin onto our loopback socket. **Now rejected.** Native
   clients never produce ``null`` (they omit Origin entirely), so this
   tightening is invisible to the Godot plugin / FastMCP CLI / curl.

2. **Cross-origin no-cors subresource probes** (Copilot, server.py:79).
   `<img src="http://127.0.0.1:9500/godot-ai/status">` from
   ``https://attacker.example.com`` arrives with a loopback ``Host``
   and *no* ``Origin`` (browsers omit Origin for ``no-cors`` GETs of
   ``<img>`` / ``<script>`` / ``<link>``), so the original Host/Origin
   gate let it through and the page could use the 200/403 outcome as
   a liveness oracle. Browsers stamp every HTTP request with
   ``Sec-Fetch-Site`` (``cross-site`` / ``same-site`` / ``same-origin``
   / ``none``). Native non-browser clients never send it. **The guard
   now rejects ``cross-site`` and ``same-site``** while still allowing
   ``none`` (top-level navigation: user typed URL, bookmark) and
   ``same-origin`` (loopback page fetching its own server). Missing →
   allow (native client), preserving the existing flow.

Drive-by: trailing-dot loopback (``Host: localhost.``) now accepted.
RFC 1034 valid FQDN syntax that browsers and curl can preserve through
to the Host header — friction trap if rejected, no security
implication either way.

`evaluate_loopback` now takes an optional ``sec_fetch_sites`` list so
both transports run the new policy through the same single helper —
preserves the audit-v2 invariant that the WS hook and HTTP middleware
cannot drift.

Tests:

- New parametrized helper coverage for ``is_allowed_sec_fetch_site``
  (friendly + foreign + case-insensitive + whitespace), trailing-dot
  hosts, and explicit ``Origin: null`` rejection.
- Two new ``evaluate_loopback`` cases pinning the cross-site rejection
  with no-Origin (the exact Copilot shape) and ``Origin: null`` with
  any Sec-Fetch-Site value.
- Three new ``LocalhostOnlyHTTPMiddleware`` middleware cases:
  ``Origin: null`` rejected, cross-site subresource rejected, top-level
  navigation accepted.
- Three new live-WS integration cases pinning the same rules end-to-end
  through the websockets ``process_request`` hook, plus a
  bracketed-IPv6 ``http://[::1]:9500`` symmetry test for the WS path.

Live smoke: native loopback connect → ``handshake_ack`` ✓; ``Origin: null``
WS connect → 403 ✓; ``Sec-Fetch-Site: cross-site`` WS connect → 403 ✓;
``Origin: null`` HTTP probe → 403 ✓; cross-site HTTP probe → 403 ✓.

---------

Co-authored-by: Claude <noreply@anthropic.com>

Author: dsarno

src/godot_ai/server.py

@@ -51,6 +51,7 @@
 from godot_ai.tools.testing import register_testing_tools
 from godot_ai.tools.theme import register_theme_tools
 from godot_ai.tools.ui import register_ui_tools
+from godot_ai.transport.origin_guard import LocalhostOnlyHTTPMiddleware
 from godot_ai.transport.websocket import GodotWebSocketServer
 
 logger = logging.getLogger(__name__)
@@ -70,8 +71,12 @@ def http_app(self, *args: Any, **kwargs: Any):
         app = super().http_app(*args, **kwargs)
         transport = kwargs.get("transport", "http")
         if transport in ("http", "streamable-http"):
-            return StaleMcpSessionDiagnosticMiddleware(app)
-        return app
+            app = StaleMcpSessionDiagnosticMiddleware(app)
+        ## Outermost wrap: refuse non-loopback Host/Origin (DNS-rebinding
+        ## guard, audit-v2 finding #1). Applied to every HTTP transport
+        ## including ``sse`` so ``/godot-ai/status`` and the FastMCP
+        ## endpoints are guarded uniformly.
+        return LocalhostOnlyHTTPMiddleware(app)
 
 
 def create_server(

src/godot_ai/transport/origin_guard.py

@@ -0,0 +1,247 @@
+"""Loopback Host/Origin guard for the WebSocket and HTTP transports.
+
+The WebSocket server binds to ``127.0.0.1`` and the streamable-HTTP
+transport likewise. That stops *direct* off-host traffic but does not
+stop a browser tab on a malicious origin from mounting **DNS rebinding**:
+the browser resolves ``attacker.example.com`` to ``127.0.0.1`` and then
+issues ``new WebSocket("ws://attacker.example.com:9500")``. The request
+lands on our loopback socket carrying a non-localhost ``Host`` (and
+``Origin``) header.
+
+This module enforces a Host/Origin allowlist that rejects those rebound
+requests *before* the WebSocket upgrade runs or any HTTP route fires:
+
+- ``Host`` must resolve to one of ``127.0.0.1``, ``localhost`` or
+  ``[::1]`` — with an optional ``:port``. RFC 7230 requires bracketed
+  form for IPv6 in HTTP/1.1 Host headers, so a bare ``::1`` is not
+  accepted (would be a malformed request).
+- ``Origin`` is validated only when present (native non-browser clients
+  omit it). A present Origin must be empty or a URL whose hostname
+  matches the loopback allowlist. ``Origin: null`` is **rejected** —
+  browsers emit it from sandboxed iframes and downloaded ``file://``
+  pages, which is exactly the rebinding-bypass shape. Native clients
+  do not produce ``null`` (they omit Origin entirely).
+- ``Sec-Fetch-Site`` is also checked when present: any value other than
+  ``same-origin`` / ``none`` (i.e. browser-issued cross-origin
+  subresources or navigations from a foreign page) is refused. This
+  catches `<img src=...>` / `<link>` / `<script>` liveness oracles
+  against ``/godot-ai/status``, where browsers send a loopback ``Host``
+  and *no* ``Origin`` for "no-cors" subresource loads. Native clients
+  never send ``Sec-Fetch-*`` (it's a Fetch-Metadata header set only by
+  browsers), so missing means "allow".
+
+Native clients (the Godot plugin, the FastMCP CLI client, ``curl`` with
+no ``-H Origin``) keep working unchanged. Browser-driven traffic — even
+``no-cors`` subresources that wouldn't carry an Origin — is refused with
+HTTP 403 long before reaching FastMCP or our session registry.
+
+See umbrella #343, finding #1 (audit-v2).
+"""
+
+from __future__ import annotations
+
+from http import HTTPStatus
+from typing import Any
+from urllib.parse import urlsplit
+
+from starlette.types import ASGIApp, Receive, Scope, Send
+
+LOOPBACK_HOSTNAMES: frozenset[str] = frozenset({"127.0.0.1", "localhost", "[::1]"})
+LOOPBACK_ORIGIN_SCHEMES: frozenset[str] = frozenset({"http", "https", "ws", "wss"})
+
+FORBIDDEN_BODY = (
+    b"forbidden: non-loopback Host or Origin (DNS rebinding guard)\n"
+    b"see https://github.com/hi-godot/godot-ai issue #345 for details\n"
+)
+FORBIDDEN_BODY_TEXT = FORBIDDEN_BODY.decode("utf-8")
+
+
+## Sec-Fetch-Site values that indicate the request is browser-driven and
+## NOT a top-level navigation or same-origin operation. Modern browsers
+## always send Sec-Fetch-Site on HTTP requests (including ``no-cors``
+## subresources like ``<img>`` / ``<script>`` / ``<link>`` that carry
+## *no* Origin); native non-browser clients never send it.
+SEC_FETCH_SITE_FOREIGN: frozenset[str] = frozenset({"cross-site", "same-site"})
+
+
+def _normalise_host(host: str) -> str:
+    """Return ``host`` with a trailing ``:port`` stripped, lowercased,
+    and with any single trailing DNS root dot removed.
+
+    Handles bracketed IPv6 (``[::1]:9500`` → ``[::1]``), bare-name forms
+    (``LOCALHOST:8000`` → ``localhost``), and the rare-but-valid trailing
+    dot (``localhost.`` → ``localhost``) so the allowlist lookup is
+    independent of caller punctuation.
+    """
+    if not host:
+        return host
+    if host.startswith("[") and "]" in host:
+        without_port = host[: host.index("]") + 1]
+    else:
+        without_port = host.split(":", 1)[0]
+    normalised = without_port.lower()
+    if normalised.endswith(".") and not normalised.endswith(".]"):
+        normalised = normalised.rstrip(".")
+    return normalised
+
+
+def is_allowed_host(host_header: str | None) -> bool:
+    """Whether ``host_header`` resolves to a loopback name.
+
+    Empty or missing returns False — a properly formed HTTP/1.1 request
+    always carries a Host header, and refusing the request is safer than
+    guessing. The WebSocket guard mirrors this.
+    """
+    if not host_header:
+        return False
+    return _normalise_host(host_header.strip()) in LOOPBACK_HOSTNAMES
+
+
+def is_allowed_origin(origin_header: str | None) -> bool:
+    """Whether ``origin_header`` is absent or names a loopback URL.
+
+    Native clients do not send Origin. Browsers always do, and the
+    request is rejected unless the Origin parses to a loopback URL.
+    ``Origin: null`` is rejected — sandboxed iframes and downloaded
+    ``file://`` pages emit it, which is the exact bypass an attacker
+    would use to bridge a foreign origin onto our loopback socket.
+    """
+    if origin_header is None:
+        return True
+    value = origin_header.strip()
+    if not value:
+        return True
+    if value.lower() == "null":
+        return False
+    parsed = urlsplit(value)
+    ## ``urlsplit`` already lowercases the scheme per RFC 3986, so no
+    ## extra normalization is needed before the set lookup.
+    if parsed.scheme not in LOOPBACK_ORIGIN_SCHEMES:
+        return False
+    if not parsed.hostname:
+        return False
+    hostname = parsed.hostname.lower().rstrip(".")
+    # urlsplit strips IPv6 brackets — re-add for the bracketed-form lookup.
+    bracketed = f"[{hostname}]" if ":" in hostname else hostname
+    return hostname in LOOPBACK_HOSTNAMES or bracketed in LOOPBACK_HOSTNAMES
+
+
+def is_allowed_sec_fetch_site(value: str | None) -> bool:
+    """Whether the ``Sec-Fetch-Site`` header indicates a non-foreign request.
+
+    Modern browsers stamp every HTTP request with one of ``cross-site``,
+    ``same-site``, ``same-origin`` or ``none`` (top-level navigation /
+    bookmark). Native clients never send it. Treat missing as "allow"
+    (native client) and the foreign values as "reject" — the rest of the
+    allowlist still has to pass, this is just an early-out for the
+    `<img src=...>` / `<script src=...>` cross-origin probe shape that
+    would otherwise slip past a loopback Host / missing Origin.
+    """
+    if value is None:
+        return True
+    return value.strip().lower() not in SEC_FETCH_SITE_FOREIGN
+
+
+def evaluate_loopback(
+    hosts: list[str],
+    origins: list[str],
+    sec_fetch_sites: list[str] | None = None,
+) -> bool:
+    """Return True iff the request's headers pass the allowlist.
+
+    Both transports (ASGI middleware + WebSocket ``process_request``)
+    funnel their per-request header extraction through this helper so
+    the duplicate-header smuggling rule, the value-allowlist rule, and
+    the Sec-Fetch-Site cross-origin reject rule are evaluated identically.
+    A divergence between the two transports would be a security
+    regression — this helper exists to prevent it.
+    """
+    if len(hosts) > 1 or len(origins) > 1:
+        return False
+    if sec_fetch_sites and len(sec_fetch_sites) > 1:
+        return False
+    host = hosts[0] if hosts else None
+    origin = origins[0] if origins else None
+    sec_fetch_site = sec_fetch_sites[0] if sec_fetch_sites else None
+    return (
+        is_allowed_host(host)
+        and is_allowed_origin(origin)
+        and is_allowed_sec_fetch_site(sec_fetch_site)
+    )
+
+
+class LocalhostOnlyHTTPMiddleware:
+    """ASGI middleware that rejects HTTP requests off the loopback allowlist.
+
+    Wraps the FastMCP ASGI app so the guard runs *before* the MCP
+    streamable-HTTP session manager, before ``/godot-ai/status``, and
+    before any inner middleware. Non-HTTP scopes (lifespan) pass through.
+    """
+
+    def __init__(self, app: ASGIApp) -> None:
+        self.app = app
+
+    def __getattr__(self, name: str) -> Any:
+        # Mirror StaleMcpSessionDiagnosticMiddleware: FastMCP / uvicorn
+        # introspect attributes (e.g. ``state``) on the wrapped ASGI app.
+        return getattr(self.app, name)
+
+    async def __call__(self, scope: Scope, receive: Receive, send: Send) -> None:
+        if scope["type"] != "http":
+            await self.app(scope, receive, send)
+            return
+
+        hosts: list[str] = []
+        origins: list[str] = []
+        sec_fetch_sites: list[str] = []
+        for raw_key, raw_value in scope.get("headers", []):
+            key = raw_key.lower()
+            if key == b"host":
+                hosts.append(raw_value.decode("latin-1"))
+            elif key == b"origin":
+                origins.append(raw_value.decode("latin-1"))
+            elif key == b"sec-fetch-site":
+                sec_fetch_sites.append(raw_value.decode("latin-1"))
+
+        if evaluate_loopback(hosts, origins, sec_fetch_sites):
+            await self.app(scope, receive, send)
+            return
+        await _send_forbidden(send)
+
+
+async def _send_forbidden(send: Send) -> None:
+    await send(
+        {
+            "type": "http.response.start",
+            "status": HTTPStatus.FORBIDDEN,
+            "headers": [
+                (b"content-type", b"text/plain; charset=utf-8"),
+                (b"content-length", str(len(FORBIDDEN_BODY)).encode("ascii")),
+            ],
+        }
+    )
+    await send({"type": "http.response.body", "body": FORBIDDEN_BODY, "more_body": False})
+
+
+def make_websocket_request_guard():
+    """Return a ``process_request`` hook for ``websockets.asyncio.server.serve``.
+
+    The hook fires before the WebSocket upgrade. When Host or Origin
+    fails the loopback allowlist the hook synthesizes an HTTP 403 via
+    ``connection.respond(...)``; returning that response from
+    ``process_request`` aborts the upgrade without ever creating a
+    Session.
+    """
+
+    async def guard(connection, request):
+        ## Use ``get_all`` so a smuggled duplicate (two ``Host:`` lines)
+        ## fails closed rather than tripping ``MultipleValuesError`` at
+        ## ``request.headers.get(...)`` and surfacing as an opaque 500.
+        hosts = list(request.headers.get_all("Host"))
+        origins = list(request.headers.get_all("Origin"))
+        sec_fetch_sites = list(request.headers.get_all("Sec-Fetch-Site"))
+        if evaluate_loopback(hosts, origins, sec_fetch_sites):
+            return None
+        return connection.respond(HTTPStatus.FORBIDDEN, FORBIDDEN_BODY_TEXT)
+
+    return guard

src/godot_ai/transport/websocket.py

@@ -14,6 +14,7 @@
 from godot_ai import __version__ as _SERVER_VERSION
 from godot_ai.protocol.envelope import CommandRequest, CommandResponse, HandshakeMessage
 from godot_ai.sessions.registry import Session, SessionRegistry
+from godot_ai.transport.origin_guard import make_websocket_request_guard
 
 logger = logging.getLogger(__name__)
 
@@ -37,6 +38,10 @@ async def start(self):
                 "127.0.0.1",
                 self.port,
                 max_size=4 * 1024 * 1024,  # 4 MB for screenshot base64
+                # Reject DNS-rebinding attempts before the upgrade — see
+                # godot_ai.transport.origin_guard. Native plugin clients
+                # carry a loopback Host and no Origin, so they pass through.
+                process_request=make_websocket_request_guard(),
             ):
                 await asyncio.Future()  # run forever
         except OSError as e: