fix(community): validate redirects in RecursiveUrlLoader (#10116)

Author: hntrl

.changeset/ssrf-redirect-bypass.md

@@ -0,0 +1,5 @@
+---
+"@langchain/community": patch
+---
+
+Validate redirects in RecursiveUrlLoader to prevent SSRF bypasses.

libs/langchain-community/src/document_loaders/tests/recursive_url.test.ts

@@ -1,6 +1,105 @@
-import { test, describe, expect } from "@jest/globals";
+import {
+  test,
+  describe,
+  expect,
+  jest,
+  beforeEach,
+  afterEach,
+} from "@jest/globals";
 import { RecursiveUrlLoader } from "../web/recursive_url.js";
 
+const _originalFetch = globalThis.fetch;
+
+describe("RecursiveUrlLoader - Redirect SSRF Protection", () => {
+  afterEach(() => {
+    globalThis.fetch = _originalFetch;
+  });
+
+  test("blocks redirects to private IPs (localhost)", async () => {
+    globalThis.fetch = jest.fn<typeof fetch>().mockResolvedValue(
+      new Response(null, {
+        status: 302,
+        headers: { Location: "http://127.0.0.1/admin" },
+      })
+    );
+
+    const loader = new RecursiveUrlLoader("https://example.com/", {
+      maxDepth: 0,
+    });
+    const docs = await loader.load();
+    expect(docs).toHaveLength(0);
+  });
+
+  test("blocks redirects to cloud metadata IPs", async () => {
+    globalThis.fetch = jest.fn<typeof fetch>().mockResolvedValue(
+      new Response(null, {
+        status: 302,
+        headers: { Location: "http://169.254.169.254/latest/meta-data/" },
+      })
+    );
+
+    const loader = new RecursiveUrlLoader("https://example.com/", {
+      maxDepth: 0,
+    });
+    const docs = await loader.load();
+    expect(docs).toHaveLength(0);
+  });
+
+  test("blocks redirects to private network ranges", async () => {
+    globalThis.fetch = jest.fn<typeof fetch>().mockResolvedValue(
+      new Response(null, {
+        status: 302,
+        headers: { Location: "http://192.168.1.1/internal" },
+      })
+    );
+
+    const loader = new RecursiveUrlLoader("https://example.com/", {
+      maxDepth: 0,
+    });
+    const docs = await loader.load();
+    expect(docs).toHaveLength(0);
+  });
+
+  test("follows safe redirects", async () => {
+    globalThis.fetch = jest
+      .fn<typeof fetch>()
+      .mockResolvedValueOnce(
+        new Response(null, {
+          status: 301,
+          headers: { Location: "https://www.example.com/" },
+        })
+      )
+      .mockResolvedValueOnce(
+        new Response("<html><body>Hello</body></html>", {
+          status: 200,
+          headers: { "Content-Type": "text/html" },
+        })
+      );
+
+    const loader = new RecursiveUrlLoader("https://example.com/", {
+      maxDepth: 0,
+    });
+    const docs = await loader.load();
+    expect(docs).toHaveLength(1);
+    expect(docs[0].pageContent).toContain("Hello");
+  });
+
+  test("throws on too many redirects", async () => {
+    globalThis.fetch = jest.fn<typeof fetch>().mockResolvedValue(
+      new Response(null, {
+        status: 302,
+        headers: { Location: "https://example.com/loop" },
+      })
+    );
+
+    const loader = new RecursiveUrlLoader("https://example.com/", {
+      maxDepth: 0,
+    });
+    const docs = await loader.load();
+    expect(docs).toHaveLength(0);
+  });
+});
+
 describe("RecursiveUrlLoader - URL Origin Validation", () => {
   describe("preventOutside origin checking", () => {
     test("allows URLs with same origin", async () => {

libs/langchain-community/src/document_loaders/web/recursive_url.ts

@@ -10,6 +10,9 @@ import {
 const virtualConsole = new VirtualConsole();
 virtualConsole.on("error", () => {});
 
+const MAX_REDIRECTS = 10;
+const REDIRECT_CODES = new Set([301, 302, 303, 307, 308]);
+
 export interface RecursiveUrlLoaderOptions {
   excludeDirs?: string[];
   extractor?: (text: string) => string;
@@ -59,9 +62,32 @@ export class RecursiveUrlLoader
     options: { timeout: number } & RequestInit
   ): Promise<Response> {
     const { timeout, ...rest } = options;
-    return this.caller.call(() =>
-      fetch(resource, { ...rest, signal: AbortSignal.timeout(timeout) })
-    );
+    let currentUrl = resource;
+
+    for (let i = 0; i <= MAX_REDIRECTS; i++) {
+      validateSafeUrl(currentUrl, { allowHttp: true });
+
+      const response = await this.caller.call(() =>
+        fetch(currentUrl, {
+          ...rest,
+          redirect: "manual",
+          signal: AbortSignal.timeout(timeout),
+        })
+      );
+
+      if (REDIRECT_CODES.has(response.status)) {
+        const location = response.headers.get("location");
+        if (!location) {
+          throw new Error("Redirect response missing Location header");
+        }
+        currentUrl = new URL(location, currentUrl).href;
+        continue;
+      }
+
+      return response;
+    }
+
+    throw new Error(`Too many redirects (max ${MAX_REDIRECTS})`);
   }
 
   private getChildLinks(html: string, baseUrl: string): Array<string> {
@@ -143,7 +169,6 @@ export class RecursiveUrlLoader
   private async getUrlAsDoc(url: string): Promise<Document | null> {
     let res;
     try {
-      validateSafeUrl(url, { allowHttp: true });
       res = await this.fetchWithTimeout(url, { timeout: this.timeout });
       res = await res.text();
     } catch {
@@ -171,7 +196,6 @@ export class RecursiveUrlLoader
 
     let res;
     try {
-      await validateSafeUrl(url, { allowHttp: true });
       res = await this.fetchWithTimeout(url, { timeout: this.timeout });
       res = await res.text();
     } catch {