fix(security): allow HTTP for localhost and loopback addresses

[aayush598]

Summary

This PR restores support for HTTP on localhost for local development while preserving existing SSRF protections and HTTPS requirements for external URLs.
Previously, HTTP requests to localhost were rejected due to strict HTTPS enforcement and private IP blocking. This prevented local development and testing without configuring HTTPS.
This change allows HTTP requests for loopback addresses while maintaining security constraints for all other hosts.

Allowed loopback addresses:
localhost
127.0.0.1
::1

Security protections remain unchanged for non-loopback addresses.

Fixes #3112

Type of Change

• Bug fix
• New feature
• Breaking change
• Documentation
• Other: ___________

Testing

Tested locally using the development server.

Verified Working

Allowed:

http://localhost:3000
https://localhost:3000
http://127.0.0.1:3000
https://127.0.0.1:3000
http://[::1]:3000
https://[::1]:3000

Blocked:

http://192.168.1.1
http://10.0.0.1
http://172.16.0.1
http://169.254.169.254

Automated Tests

Added unit tests covering:
localhost URLs
IPv4 loopback addresses
IPv6 loopback addresses
HTTPS enforcement for external URLs
Private IP blocking

All tests pass successfully.

Reviewers should focus on:
validateExternalUrl()
validateUrlWithDNS()
Loopback detection logic
SSRF protection behavior

Checklist

• Code follows project style guidelines
• Self-reviewed my changes
• Tests added/updated and passing
• No new warnings introduced
• I confirm that I have read and agree to the terms outlined in the Contributor License Agreement (CLA)

Screenshots/Videos

Not applicable

[vercel]

@aayush598 is attempting to deploy a commit to the Sim Team on Vercel.

A member of the Team first needs to authorize it.

[greptile-apps]

Greptile Summary

This PR enables HTTP requests to localhost addresses (localhost, 127.0.0.1, ::1) to support local development while preserving all existing SSRF protections for external URLs.

Key Changes:

• Modified validateExternalUrl() to detect loopback addresses and allow HTTP protocol for them
• Updated validateUrlWithDNS() to recognize loopback addresses and exempt them from private IP blocking
• Added comprehensive test coverage for all loopback address formats

Security Assessment:
The implementation correctly maintains security boundaries:

• HTTPS remains required for all non-localhost addresses
• Private IP blocking (192.168.x.x, 10.x.x.x, etc.) still enforced
• Loopback detection properly identifies localhost, 127.0.0.1, and ::1
• DNS lookup uses verbatim: true to prevent DNS rebinding attacks

The bracket-stripping logic in both files (hostname.startsWith('[') && hostname.endsWith(']')) may be unnecessary since URL.hostname already returns IPv6 addresses without brackets, but it doesn't cause issues in practice.

Confidence Score: 5/5

• This PR is safe to merge with minimal risk - it enables localhost development without weakening security
• The implementation correctly isolates the localhost exception while maintaining all existing SSRF protections. The loopback detection logic is sound, test coverage is comprehensive, and the change is well-scoped. External URLs still require HTTPS and private IP blocking remains enforced.
• No files require special attention - all changes are straightforward and well-tested

Important Files Changed

Filename	Overview
apps/sim/lib/core/security/input-validation.ts	Added loopback detection logic to validateExternalUrl() - allows HTTP for localhost/127.0.0.1/::1 while maintaining HTTPS requirement for external URLs and SSRF protections for private IPs
apps/sim/lib/core/security/input-validation.server.ts	Added loopback detection to DNS validation - strips IPv6 brackets for lookup and recognizes localhost/127.0.0.1/::1 as exempt from private IP blocking
apps/sim/lib/core/security/input-validation.test.ts	Updated tests to expect localhost/loopback URLs to be accepted with both HTTP and HTTPS protocols - comprehensive coverage of localhost, 127.0.0.1, and ::1

Flowchart

%%{init: {'theme': 'neutral'}}%%
flowchart TD
    A[URL Validation Request] --> B{Parse URL}
    B --> C{Check Protocol}
    C -->|Not http/https| D[Reject: Invalid Protocol]
    C -->|http/https| E{Detect Loopback?}
    E -->|Yes: localhost/127.0.0.1/::1| F{Protocol Check}
    F -->|http or https| G[Allow - Local Dev]
    E -->|No: External URL| H{Protocol = https?}
    H -->|No| I[Reject: HTTPS Required]
    H -->|Yes| J{Check IP}
    J -->|Private IP Range| K[Reject: Private IP Blocked]
    J -->|Public IP| L{Check Port}
    L -->|Blocked Port| M[Reject: Port Blocked]
    L -->|Allowed Port| N[Accept]
    G --> O[DNS Resolution]
    N --> O
    O --> P{Resolved IP Private?}
    P -->|Yes & Not Loopback| Q[Reject: SSRF Protection]
    P -->|No or Loopback| R[Success]

Loading

_{Last reviewed commit: ad24c94}

[greptile-apps]

_{3 files reviewed, no comments}

_{Edit Code Review Agent Settings | Greptile}