docs(openapi): correct converter comment about runtime SSRF coverage

h3xxit · h3xxit · commit f873ed6143bc · 2026-05-10T13:06:35.000+02:00
Earlier comment claimed the runtime ``ensure_secure_url`` in ``call_tool`` "already blocks the request" for loopback-redirect SSRF. That is wrong. ``ensure_secure_url`` allows ``http://`` to literal loopback hosts as a legitimate localhost-dev case, so a remote spec declaring ``servers[0].url = http://127.0.0.1:9090`` slips through the runtime gate and reaches the loopback service. Reword the comment to make the actual coverage split explicit: the runtime check catches non-loopback internal addresses (cloud metadata, RFC1918 ranges); the conversion-time check is the *only* defense for the attacker-controlled-loopback case because the spec's origin is the sole signal that distinguishes it from a legitimate localhost call, and that information only exists at conversion time. No behavior change.
diff --git a/plugins/communication_protocols/http/src/utcp_http/openapi_converter.py b/plugins/communication_protocols/http/src/utcp_http/openapi_converter.py
@@ -155,17 +155,9 @@ def convert(self) -> UtcpManual:
         elif self.spec.get("servers"):
             base_url = self.spec["servers"][0].get("url", "/")
 
-            # Defense in depth against issue #83 / GHSA-39j6-4867-gg4w:
-            # a remote OpenAPI spec must not be allowed to redirect tool
-            # invocation at the agent's own loopback interface (cloud
-            # metadata, internal admin panels, etc.). The runtime check in
-            # call_tool already blocks the request, but rejecting at
-            # conversion time produces a clearer error and prevents the
-            # malicious tools from ever entering the registry.
-            #
-            # We only reject when the *spec was fetched from a non-loopback
-            # source*. A user pointing the converter at their own
-            # localhost OpenAPI spec is allowed to declare loopback
+            # Rule: a spec fetched from a non-loopback source cannot declare
+            # a loopback server URL. A user pointing the converter at their
+            # own localhost OpenAPI spec is allowed to declare loopback
             # servers, and an explicit ``base_url`` override always wins
             # (handled above).
             if (
