mirror of
https://github.com/InvoiceShelf/InvoiceShelf.git
synced 2026-07-17 14:25:21 +00:00
fix(security): gate AI tools by user ability and block admin-URL SSRF
The AI chat assistant scoped tool queries by company but ignored the per-user Bouncer abilities the rest of the app enforces, so any `use ai` holder could read customers, invoices, payments, and company financials their role couldn't otherwise see. Each AiTool now declares a required ability (entity-aligned); the registry hides unauthorized tools from the model and refuses to execute them as a backstop. Separately, admin/owner-supplied URLs were fetched server-side with no guard against private/reserved targets (SSRF): the AI base URL, the CurrencyConverter "DEDICATED" exchange-rate URL, and S3/Spaces file-disk endpoints. A shared PrivateNetworkGuard now backs a PublicHttpUrl validation rule (save-time) and runtime guards in each driver. - AiTool::requiredAbility() + mapping across all 12 tools - AiToolRegistry filters schemas() by ability and re-checks in execute() - PrivateNetworkGuard / BlockedUrlException / PublicHttpUrl rule (new) - Rule wired into AI config (service + 3 controllers), exchange-rate, and file-disk endpoints; runtime guards in OpenRouterDriver, CurrencyConverterDriver, and FileDiskService - Tests for ability filtering, the guard, the rule, and 422 rejections
This commit is contained in:
26
tests/Unit/OpenRouterDriverTest.php
Normal file
26
tests/Unit/OpenRouterDriverTest.php
Normal file
@@ -0,0 +1,26 @@
|
||||
<?php
|
||||
|
||||
use App\Support\Ai\AiException;
|
||||
use App\Support\Ai\OpenRouterDriver;
|
||||
|
||||
/**
|
||||
* Runtime SSRF backstop: even if a private base URL slips past validation (e.g.
|
||||
* config saved before the rule existed, or DNS rebinding), the driver must refuse
|
||||
* to make the request.
|
||||
*/
|
||||
test('rejects a private base URL before making any request', function () {
|
||||
$driver = new OpenRouterDriver('test-key', ['base_url' => 'http://169.254.169.254']);
|
||||
|
||||
expect(fn () => $driver->validateConnection())->toThrow(AiException::class);
|
||||
});
|
||||
|
||||
test('the thrown AI exception carries the invalid_base_url error key', function () {
|
||||
$driver = new OpenRouterDriver('test-key', ['base_url' => 'http://127.0.0.1:11434']);
|
||||
|
||||
try {
|
||||
$driver->validateConnection();
|
||||
test()->fail('Expected AiException was not thrown');
|
||||
} catch (AiException $e) {
|
||||
expect($e->errorKey)->toBe('invalid_base_url');
|
||||
}
|
||||
});
|
||||
Reference in New Issue
Block a user