[Security] SSRF and local resource access via unrestricted URL handling

[fredluz]

Summary

The goto, newtab, and diff commands accept arbitrary URLs and pass them directly to Playwright's page.goto() with no scheme or host validation. This enables Server-Side Request Forgery (SSRF) and local file access.

Affected Code

• browse/src/write-commands.ts:21 — goto command

  const response = await page.goto(url, { waitUntil: 'domcontentloaded', timeout: 15000 });

• browse/src/browser-manager.ts:69 — newTab() method

  await page.goto(url, { waitUntil: 'domcontentloaded', timeout: 15000 });

• browse/src/meta-commands.ts:158,168 — diff command

  await page.goto(url1, { waitUntil: 'domcontentloaded', timeout: 15000 });
  await page.goto(url2, { waitUntil: 'domcontentloaded', timeout: 15000 });

Impact

The browser can be directed to access:

• file:///etc/passwd and other local files
• http://127.0.0.1/... and other private network targets
• http://169.254.169.254/... cloud metadata endpoints
• Any other scheme Chromium accepts

In an agentic context, a prompt-injected page could coerce the model into fetching internal resources and exfiltrating content via text, html, or screenshot.

Proof of Concept

• bun run dev goto file:///etc/hosts → Navigated ... (200) — successfully reads local file
• bun run dev goto http://127.0.0.1:<port>/... → successfully accesses localhost services

Suggested Fix

• Default-deny non-HTTP(S) schemes
• Add a denylist for localhost, RFC1918, link-local, .internal, and cloud metadata IPs (169.254.169.254)
• Make access to local/private targets an explicit opt-in with a warning

Severity

High — enables local file read and internal network access, amplified by agentic automation context

[innodonni]

This still doesn't prevent malignment from hacking insecure networks and launching nukes. I won't be using or recommending it.