fix(providers): pin Azure OpenAI/Anthropic endpoints to validated IP

[waleedlatif1]

Summary

• Fix TOCTOU DNS-rebinding SSRF in the Azure OpenAI and Azure Anthropic providers: both validated request.azureEndpoint with validateUrlWithDNS but then discarded the resolved IP and handed the raw hostname to the SDK/fetch, which re-resolved DNS at connect time — letting a short-TTL rebinding host pass validation (public IP) then connect to an internal IP (e.g. 169.254.169.254).
• Add createPinnedFetch(resolvedIP) in input-validation.server.ts: a standard fetch routed through an undici Agent with a pinned DNS lookup, so the connection goes to the validated IP while the hostname is preserved for TLS SNI / Host header. Because the lookup always returns the validated IP, redirect hops can't rebind to an internal address either. Dispatchers are pooled by IP (LRU, max 64) for keep-alive reuse — same pattern as lib/mcp/pinned-fetch.ts.
• Wire the pinned fetch into both providers, but only on the user-supplied-endpoint path: Azure Anthropic's new Anthropic({ fetch }), Azure OpenAI's chat-completions new AzureOpenAI({ fetch }), and both Responses-API configs via a new optional ResponsesProviderConfig.fetch (defaults to global fetch).
• Trusted server-env endpoints and all non-Azure providers are unchanged.

Type of Change

• Bug fix (security)

Testing

• New createPinnedFetch unit suite (8 tests): pinned lookup returns the validated IP for any hostname (IPv4/IPv6), dispatcher forwarding + init preservation, pooling/eviction.
• New Azure OpenAI + Azure Anthropic wiring suites (8 tests): user endpoint pins; trusted-env endpoint does not; blocked validation throws before any client/fetch.
• typecheck clean, check:api-validation passes, full security + provider suites green (453 tests).

Checklist

• Code follows project style guidelines
• Self-reviewed my changes
• Tests added/updated and passing
• No new warnings introduced
• I confirm that I have read and agree to the terms outlined in the Contributor License Agreement (CLA)

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

1 Skipped Deployment

Project	Deployment	Actions	Updated (UTC)
docs	Skipped		Jun 15, 2026 8:11pm

[cursor]

PR Summary

High Risk
Changes outbound HTTP for user-controlled Azure endpoints and consolidates SSRF pinning used by MCP and LLM providers—security-sensitive, though scoped to the user-endpoint path with fail-closed validation.

Overview
Fixes a DNS-rebinding (TOCTOU) SSRF gap where Azure OpenAI and Azure Anthropic ran validateUrlWithDNS on user azureEndpoint values but still connected via the SDK/global fetch, which could re-resolve to a different IP at connect time.

Adds shared createPinnedFetch(resolvedIP) in input-validation.server.ts: undici Agent + pinned lookup so traffic uses the validated IP while keeping the original hostname for TLS SNI/Host. MCP transport, OAuth probe, and SSRF-guarded MCP fetch now call this helper instead of the removed createMcpPinnedFetch (and its per-IP agent pool) in lib/mcp/pinned-fetch.ts.

For user-supplied Azure endpoints only: after validation, providers require a resolvedIP, build createPinnedFetch, and pass it into the Anthropic client, AzureOpenAI chat completions, and Responses API via new optional ResponsesProviderConfig.fetch (used by executeResponsesProviderRequest instead of global fetch). Trusted env-configured endpoints are unchanged.

New/updated unit tests cover pinned fetch behavior and Azure pinning paths (pin vs env vs blocked vs missing IP).

^{Reviewed by Cursor Bugbot for commit 3b4ef1d. Configure here.}

[greptile-apps]

Greptile Summary

This PR closes a TOCTOU DNS-rebinding SSRF vulnerability in the Azure OpenAI and Azure Anthropic providers: both previously validated the user-supplied endpoint with validateUrlWithDNS but then discarded the resolved IP and passed the raw hostname to the SDK, allowing a short-TTL rebinding attack to switch from a public IP (passing validation) to an internal address at connect time.

• Adds createPinnedFetch(resolvedIP) in input-validation.server.ts — wraps undici's fetch with an Agent whose DNS lookup function always returns the pre-validated IP, so every connection (including SDK-internal retries and redirects) is pinned to the safe address.
• Wires the pinned fetch into both Azure providers on the user-supplied-endpoint path only; server-env endpoints remain untouched.
• Consolidates the MCP client, OAuth probe, and revoke paths to use the same createPinnedFetch, removing the now-redundant createMcpPinnedFetch and its LRU pool from pinned-fetch.ts.

Confidence Score: 5/5

The change is safe to merge: the SSRF fix is correctly applied to all three Azure OpenAI code paths and to the Anthropic provider, the fail-closed guard prevents silent bypass when resolvedIP is absent, and trusted server-env endpoints are deliberately left untouched.

The core security logic — pinning DNS resolution via an undici Agent before handing the URL to the SDK — is sound and well-tested. All direct fetch calls in core.ts were replaced with fetchImpl, and both Azure providers propagate the pinned function through every branch. The only regression introduced is that createSsrfGuardedMcpFetch now creates a new Agent per request (losing the former LRU-pooled keep-alive reuse), but this affects only low-frequency MCP OAuth operations and carries no correctness or security impact.

apps/sim/lib/mcp/pinned-fetch.ts — the inner-closure placement of createPinnedFetch means MCP OAuth guard requests do not reuse connections; all other files are clean.

Important Files Changed

Filename	Overview
apps/sim/lib/core/security/input-validation.server.ts	Adds createPinnedFetch: creates an undici Agent with a pinned DNS lookup per call; correctly returns a standard fetch-compatible function with double-casts for type bridge.
apps/sim/lib/mcp/pinned-fetch.ts	Removes createMcpPinnedFetch and its LRU agent pool; createSsrfGuardedMcpFetch now calls createPinnedFetch per-request inside the closure, losing cross-request connection reuse.
apps/sim/providers/azure-anthropic/index.ts	Properly validates user endpoint, fails closed if resolvedIP is absent, and threads the pinned fetch into the Anthropic SDK client; trusted-env path is unchanged.
apps/sim/providers/azure-openai/index.ts	Correctly propagates pinnedFetch to all three code paths (chat completions, Responses full-URL, Responses base-URL); fail-closed guard for missing resolvedIP is in place.
apps/sim/providers/openai/core.ts	Adds optional fetch field to ResponsesProviderConfig; all three direct fetch(config.endpoint, …) calls correctly replaced with fetchImpl; global fetch fallback is sound.
apps/sim/lib/mcp/client.ts	One-line import swap from createMcpPinnedFetch to createPinnedFetch; correct — Agent is created once per MCP client connection, so keep-alive reuse is preserved here.

_{Reviews (7): Last reviewed commit: "refactor(security): drop pinned-fetch ag..." | Re-trigger Greptile}

[waleedlatif1]

Thanks @greptile-apps — addressed in c8c4867:

• resolvedIP! non-null assertion (P2, both providers): replaced with an explicit fail-closed guard — if validation passes but no resolvedIP is present, we throw rather than calling createPinnedFetch(undefined). For a security fix, failing closed (no request) is the correct behavior since proceeding unpinned would reintroduce the SSRF. Added test coverage for this branch in both provider suites.
• Duplicated pool/pinned-fetch logic vs lib/mcp/pinned-fetch.ts (P2): intentionally deferred. Consolidating would require createMcpPinnedFetch to import the shared helper from input-validation.server.ts, which breaks lib/mcp/pinned-fetch.test.ts (it mocks that module to export only createPinnedLookup). The duplication is ~15 lines and self-contained; I'd rather not expand the blast radius of a security PR with a cross-module refactor. Happy to do it as a follow-up.

[greptile-apps]

Both fixes look correct and well-reasoned.

The fail-closed guard is exactly right — if validateUrlWithDNS ever returns isValid: true with no resolvedIP (edge case in a future code path, or an unexpected resolver behavior), throwing is strictly safer than proceeding unpinned and silently reintroducing the TOCTOU window. The error messages are also clear enough to diagnose in practice.

The duplication deferral rationale holds. Touching lib/mcp/pinned-fetch.ts imports in a security PR just to save ~15 lines would drag in test-mock changes and expand review surface for no security benefit. A follow-up issue to track the consolidation would be worth filing so it doesn't quietly accumulate.

Both concerns addressed — LGTM.

[waleedlatif1]

@greptile review

[waleedlatif1]

@cursor review

[cursor]

✅ Bugbot reviewed your changes and found no new issues!

Comment @cursor review or bugbot run to trigger another review on this PR

^{Reviewed by Cursor Bugbot for commit c8c4867. Configure here.}

[waleedlatif1]

@greptile review

[waleedlatif1]

@cursor review

[cursor]

✅ Bugbot reviewed your changes and found no new issues!

Comment @cursor review or bugbot run to trigger another review on this PR

^{Reviewed by Cursor Bugbot for commit 081d0e4. Configure here.}

[waleedlatif1]

@greptile review

[waleedlatif1]

@cursor review

[cursor]

✅ Bugbot reviewed your changes and found no new issues!

Comment @cursor review or bugbot run to trigger another review on this PR

^{Reviewed by Cursor Bugbot for commit 112734e. Configure here.}

[waleedlatif1]

@greptile review

[waleedlatif1]

@cursor review

[cursor]

✅ Bugbot reviewed your changes and found no new issues!

Comment @cursor review or bugbot run to trigger another review on this PR

^{Reviewed by Cursor Bugbot for commit 112734e. Configure here.}

[waleedlatif1]

@greptile review

[waleedlatif1]

@cursor review

[cursor]

✅ Bugbot reviewed your changes and found no new issues!

Comment @cursor review or bugbot run to trigger another review on this PR

^{Reviewed by Cursor Bugbot for commit 3b4ef1d. Configure here.}

[waleedlatif1]

@greptile review

[waleedlatif1]

@cursor review

[cursor]

✅ Bugbot reviewed your changes and found no new issues!

Comment @cursor review or bugbot run to trigger another review on this PR

^{Reviewed by Cursor Bugbot for commit 3b4ef1d. Configure here.}