Files
InvoiceShelf/app/Rules/PublicHttpUrl.php
Darko Gjorgjijoski ac2a8ca939 fix(security): gate AI tools by user ability and block admin-URL SSRF
The AI chat assistant scoped tool queries by company but ignored the
per-user Bouncer abilities the rest of the app enforces, so any `use ai`
holder could read customers, invoices, payments, and company financials
their role couldn't otherwise see. Each AiTool now declares a required
ability (entity-aligned); the registry hides unauthorized tools from the
model and refuses to execute them as a backstop.

Separately, admin/owner-supplied URLs were fetched server-side with no
guard against private/reserved targets (SSRF): the AI base URL, the
CurrencyConverter "DEDICATED" exchange-rate URL, and S3/Spaces file-disk
endpoints. A shared PrivateNetworkGuard now backs a PublicHttpUrl
validation rule (save-time) and runtime guards in each driver.

- AiTool::requiredAbility() + mapping across all 12 tools
- AiToolRegistry filters schemas() by ability and re-checks in execute()
- PrivateNetworkGuard / BlockedUrlException / PublicHttpUrl rule (new)
- Rule wired into AI config (service + 3 controllers), exchange-rate,
  and file-disk endpoints; runtime guards in OpenRouterDriver,
  CurrencyConverterDriver, and FileDiskService
- Tests for ability filtering, the guard, the rule, and 422 rejections
2026-06-05 00:01:09 +02:00

32 lines
1.1 KiB
PHP

<?php
namespace App\Rules;
use App\Support\Net\PrivateNetworkGuard;
use Closure;
use Illuminate\Contracts\Validation\ValidationRule;
/**
* Rejects URLs that target a private, loopback, link-local, or otherwise
* non-publicly-routable address — an SSRF guard for admin/owner-supplied base
* URLs and endpoints the server fetches with credentials attached.
*
* Pair with the `url` rule, which validates syntax; this rule adds the
* network-safety check on top. Empty values pass through so it composes with
* `nullable`. Hostnames that do not resolve are allowed here (fail-open); the
* authoritative block happens in the runtime driver guard at request time.
*/
class PublicHttpUrl implements ValidationRule
{
public function validate(string $attribute, mixed $value, Closure $fail): void
{
if (! is_string($value) || trim($value) === '') {
return;
}
if (PrivateNetworkGuard::blockedReason($value) !== null) {
$fail('The :attribute must be a publicly reachable URL, not a private or reserved address.');
}
}
}