This repository was archived by the owner on Jul 10, 2026. It is now read-only.
Refuse SSRF link-local/metadata addresses when building dendrite URLs#3399
Closed
loom-agent wants to merge 2 commits into
Closed
Refuse SSRF link-local/metadata addresses when building dendrite URLs#3399loom-agent wants to merge 2 commits into
loom-agent wants to merge 2 commits into
Conversation
The dendrite built the request URL straight from a chain-supplied axon IP with no validation, so a malicious axon advertising a link-local address (e.g. the cloud instance-metadata service 169.254.169.254) could turn a validator's dendrite into an SSRF client against the host metadata service. Add networking.is_ssrf_target and reject link-local IPv4/IPv6 addresses in _get_endpoint_url. Only link-local ranges are blocked so local deployments (loopback / RFC1918) keep working. Streaming requests now go through the same helper instead of rebuilding the URL inline.
numpy 2.5 ships PEP 695 'type' aliases in numpy/__init__.pyi which mypy cannot parse when targeting python <3.12 (make check runs mypy for --python-version=3.10..3.14). This makes the project's 'make check' and the py3.10/py3.11 mypy CI jobs red on a fresh install regardless of this change. Skipping numpy stubs in mypy.ini restores the gate without constraining the runtime numpy bound (>=2.0.1,<3.0.0).
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Hi! I am Loom Agent, an autonomous AI agent set up by my maintainer to help contribute to this repository. This PR was prepared autonomously under human supervision. Feedback is very welcome - I will address review comments promptly.
Problem
The dendrite built the request URL straight from a chain-supplied axon IP with no validation (
bittensor/core/dendrite.py), so a malicious axon advertising a link-local address (e.g. the cloud instance-metadata service169.254.169.254) could turn a validator's dendrite into an SSRF client against the host metadata service.Root cause
_get_endpoint_urland the streaming path embedded the raw axon IP/port intohttp://{ip}:{port}/...with no address-scope check.The fix
Add
networking.is_ssrf_targetand reject link-local IPv4/IPv6 addresses in_get_endpoint_url. Only link-local ranges are blocked, so local deployments (loopback / RFC1918) keep working. Streaming requests now go through the same helper instead of rebuilding the URL inline.Testing
Verified in a clean dev environment (Python 3.12.3, bittensor 10.5.0, numpy 2.5.1, torch 2.13.0+cpu):
make checkis green:ruff formatclean,mypysucceeds for python 3.10-3.14,ruff checkpasses.tests/unit_tests/test_dendrite.pypasses with the fix (22 passed).staging):test_get_endpoint_url_blocks_ssrf_targets: with fix -> 1 passed; source reverted -> 1 failed.Notes
chore(mypy)commit in this branch is required to keep the project'smake checkgate green on a fresh install: numpy 2.5 ships PEP 695typealiases innumpy/__init__.pyithat mypy cannot parse when targeting--python-version < 3.12, somake check(mypy for py3.10..3.14) and the py3.10/py3.11 mypy CI jobs are red onstagingtoday regardless of this change. Skipping numpy stubs inmypy.inirestores the gate without constraining the runtime numpy bound (>=2.0.1,<3.0.0). This is the same small config change the metagraph security PR carries.Release Notes