Remove SSRF protection for internal deployment

[jonnyspicer]

Summary

Removes SSRF (Server-Side Request Forgery) protection to support internal trusted network deployment where adsb2dd needs to fetch from local tar1090 servers on private networks.

Context

This is an internal fork for RETINA radar deployments on trusted private networks. The SSRF protection was blocking legitimate requests to internal tar1090 servers (e.g., 192.168.0.20:8080).

Approach

Rather than adding a configuration option to bypass protection, this PR removes the SSRF protection entirely since:

• This is a private internal fork, not a public service
• All deployments are on trusted networks
• Simplifies the codebase
• Can be re-evaluated during security audit

Changes

• Removed private network IP validation from /api/dd endpoint
• Removed private network IP validation from /api/synthetic-detections endpoint
• Removed SSRF protection test suite (no longer applicable)
• Updated README with security considerations and recommendations
• Removed environment variable approach (not needed)

Security Considerations

The README now documents:

• SSRF attack vectors (cloud metadata, network scanning, internal service access)
• Deployment recommendations (internal networks only, authentication, monitoring)
• Implementation suggestions for future public-facing deployments

Testing

All existing tests pass. The SSRF protection test suite was removed since the protection no longer exists.

Use Case

Enables RETINA nodes to fetch ADS-B truth data from internal tar1090 servers on private networks, allowing delay-Doppler visualization with ground truth overlay.

[claude]

Pull Request Review: Add ALLOW_PRIVATE_NETWORKS environment variable

Summary

This PR adds a configurable environment variable to allow bypassing SSRF protection for trusted internal deployments. The implementation is sound and maintains security by default.

✅ Strengths

Security Approach

• Secure by default: Private network blocking remains enabled unless explicitly configured
• Clear opt-in mechanism: Requires explicit environment variable setting
• Good documentation: README includes prominent security warnings
• Consistent application: Applied to both /api/dd and /api/synthetic-detections endpoints

Code Quality

• Minimal, focused changes (25 additions, 2 deletions)
• Clear variable naming (allowPrivateNetworks)
• Proper string-to-boolean conversion with strict equality check
• Non-breaking change with backward compatibility

Documentation

• Comprehensive README updates explaining the feature
• Security notes prominently displayed
• Clear usage examples provided

🔍 Issues & Recommendations

1. Code Duplication (Medium Priority)

Issue: The SSRF protection logic is duplicated between /api/dd (lines 114-182) and /api/synthetic-detections (lines 284-352). This violates DRY principles and creates maintenance burden.

Recommendation: Extract the SSRF validation into a reusable function:

/// @brief Validates server URL for SSRF protection
/// @param serverUrl URL object to validate
/// @param isAdsbLol Whether the URL is for adsb.lol
/// @param allowPrivateNetworks Whether to skip private network checks
/// @return Object with {valid: boolean, error?: string}
async function validateServerUrl(serverUrl, isAdsbLol, allowPrivateNetworks) {
  if (isAdsbLol || allowPrivateNetworks) {
    return { valid: true };
  }
  
  const hostname = serverUrl.hostname;
  
  const privateIPv4Ranges = [
    /^127\./,
    /^10\./,
    /^172\.(1[6-9]|2[0-9]|3[0-1])\./,
    /^192\.168\./,
    /^169\.254\./,
    /^0\.0\.0\.0$/,
    /localhost/i
  ];
  
  // ... rest of validation logic
  
  return { valid: true };
}

Then use it in both endpoints:

const validation = await validateServerUrl(serverUrl, isAdsbLol, allowPrivateNetworks);
if (!validation.valid) {
  return res.status(400).json({ error: validation.error });
}

Benefits:

• Single source of truth for SSRF protection
• Easier to maintain and update
• Reduces risk of inconsistencies between endpoints
• More testable

2. Missing Test Coverage (High Priority)

Issue: No tests verify the new ALLOW_PRIVATE_NETWORKS functionality.

Recommendation: Add tests to test/server.test.js:

describe('ALLOW_PRIVATE_NETWORKS Environment Variable', () => {
  test('private network check respects allowPrivateNetworks=true', () => {
    const allowPrivateNetworks = true;
    const isAdsbLol = false;
    const hostname = '192.168.1.100';
    
    // Should skip validation when allowPrivateNetworks is true
    if (!isAdsbLol && !allowPrivateNetworks) {
      // validation logic
    }
    
    // Expect no error when allowPrivateNetworks=true
    expect(true).toBe(true);
  });
  
  test('private network check blocks by default', () => {
    const allowPrivateNetworks = false;
    const isAdsbLol = false;
    const hostname = '192.168.1.100';
    
    const privateIPv4Ranges = [/^192\.168\./];
    const shouldBlock = privateIPv4Ranges.some(range => range.test(hostname));
    
    expect(shouldBlock).toBe(true);
  });
  
  test('environment variable parsing handles string values', () => {
    // Simulate process.env behavior
    const testTrue = 'true' === 'true';
    const testFalse = 'false' === 'true';
    const testUndefined = undefined === 'true';
    
    expect(testTrue).toBe(true);
    expect(testFalse).toBe(false);
    expect(testUndefined).toBe(false);
  });
});

3. Logging for Security Auditing (Medium Priority)

Issue: When the private network bypass is enabled, there's no logging to track when it's used. This makes security auditing difficult.

Recommendation: Add logging when the bypass is active:

// At startup (after line 20)
const allowPrivateNetworks = process.env.ALLOW_PRIVATE_NETWORKS === 'true';
if (allowPrivateNetworks) {
  console.warn('[SECURITY] ALLOW_PRIVATE_NETWORKS is enabled - private network SSRF protection disabled');
}

// When private network requests are made (in both endpoints)
if (isAdsbLol) {
  // existing adsb.lol logic
} else if (allowPrivateNetworks) {
  console.log(`[SECURITY] Private network access allowed for: ${serverUrl.hostname}`);
} else {
  // existing SSRF protection logic
}

Benefits:

• Security teams can audit when the bypass is used
• Helps detect potential misconfigurations
• Provides visibility into which private endpoints are accessed

4. Minor: Inconsistent Variable Naming (Low Priority)

Issue: The isPrivateIP function exists but isn't consistently used.

Observation: Lines 117-125 and 287-295 define privateIPv4Ranges and privateIPv6Ranges locally, but there's already an isPrivateIP() function at line 37 that does similar work.

Recommendation: Consider using the existing isPrivateIP() helper consistently, or document why the duplication is necessary.

5. Documentation: Default Value Clarity (Low Priority)

Issue: The docker-compose.yml explicitly sets ALLOW_PRIVATE_NETWORKS=false, but this is redundant since false is the default.

Suggestion: Either:

• Remove the line entirely and rely on the default (cleaner)
• Add a comment explaining it's shown for documentation purposes:

environment:
  # SSRF protection enabled by default
  # Set to 'true' for trusted internal deployments
  - ALLOW_PRIVATE_NETWORKS=false

🧪 Testing Verification Needed

The PR description mentions testing was performed:

• ✅ Private network requests blocked by default
• ✅ Private network requests succeed with ALLOW_PRIVATE_NETWORKS=true
• ✅ Public server requests work in both modes
• ✅ Both API endpoints respect the setting

However, I'd recommend:

1. Adding automated tests (as mentioned above)
2. Verifying DNS resolution bypass works correctly (e.g., mylocal.tar1090 that resolves to 192.168.1.100)
3. Testing IPv6 private addresses specifically

📊 Overall Assessment

Code Quality: 7/10

• Clean implementation but has code duplication issues
• Could benefit from refactoring for maintainability

Security: 9/10

• Excellent secure-by-default approach
• Clear warnings in documentation
• Minor deduction for lack of audit logging

Testing: 4/10

• No automated tests for the new feature
• Relies on manual testing

Documentation: 9/10

• Comprehensive README updates
• Clear security warnings
• Good usage examples

🎯 Recommendations Priority

1. High: Add test coverage for the new environment variable
2. Medium: Extract SSRF validation into a shared function
3. Medium: Add security audit logging
4. Low: Minor documentation and naming improvements

✅ Approval Status

The PR is functionally correct and maintains security by default. The code duplication and missing tests are areas for improvement but don't block the core functionality.

Recommendation: Approve with suggestions for follow-up improvements, particularly around test coverage and refactoring the duplicated SSRF logic.

---

Great work on maintaining security by default while enabling legitimate use cases! The approach is sound and well-documented. Consider the refactoring and testing suggestions for future maintainability.

[claude]

Pull Request Review: Add ALLOW_PRIVATE_NETWORKS Environment Variable

Summary

This PR adds a configurable SSRF protection bypass for trusted deployments. The implementation is well-thought-out and follows secure-by-default principles. Overall, this is a solid enhancement with good test coverage.

✅ Strengths

Security Design

• Secure by default: The flag defaults to false, maintaining protection unless explicitly opted in
• Clear documentation: README includes prominent security warnings
• Comprehensive SSRF validation: Covers IPv4, IPv6, localhost, link-local, and IPv4-mapped IPv6 addresses
• Consistent implementation: Applied to both /api/dd and /api/synthetic-detections endpoints

Code Quality

• Excellent test coverage: 306 lines of tests covering edge cases, protocol validation, and real-world scenarios
• Clear implementation: Simple boolean check that's easy to audit
• Good naming: ALLOW_PRIVATE_NETWORKS clearly communicates intent and risk

🔍 Issues & Recommendations

1. Critical: Code Duplication in SSRF Validation

The SSRF validation logic is duplicated across:

• Lines 117-181 in /api/dd endpoint
• Lines 287-351 in /api/synthetic-detections endpoint

Impact: High risk of divergence if one endpoint is updated but not the other.

Recommendation: Extract SSRF validation into a reusable function:

async function validateServerUrl(serverUrl, allowPrivateNetworks) {
  // Existing validation logic here
  // Return { valid: boolean, error: string }
}

Location: Consider adding to src/node/validate.js alongside isValidNumber().

2. Minor: Test File Integration

The new test file test/ssrf-protection.test.js appears to be unit tests that don't import or test the actual server code. The tests validate the logic in isolation, which is good, but there's no integration test verifying that the environment variable actually controls the server behavior.

Recommendation: Consider adding integration tests that:

• Start a test server with ALLOW_PRIVATE_NETWORKS=false
• Make a request to a private IP
• Verify it's blocked
• Repeat with ALLOW_PRIVATE_NETWORKS=true and verify it's allowed

This could be added to test/e2e.test.js or test/server.test.js.

3. Minor: Missing IPv6 Private Range

The isPrivateIP() function at line 37 includes IPv6 ranges like ff00: and ::ffff: that aren't duplicated in the SSRF validation blocks (lines 127-134, 297-304). While the hostname DNS resolution check would catch these, there's an inconsistency.

Recommendation: Ensure SSRF validation uses the same isPrivateIP() function for consistency, or document why they differ.

4. Documentation: docker-compose.yml Comment

The docker-compose.yml shows ALLOW_PRIVATE_NETWORKS=false but doesn't include a comment explaining when users should change it.

Recommendation: Add an inline comment:

environment:
  # Set to 'true' only for trusted internal deployments (see README Configuration section)
  - ALLOW_PRIVATE_NETWORKS=false

5. Security: DNS Rebinding Risk

The current implementation checks DNS resolution at request time (lines 156-181, 326-351). An attacker could potentially exploit DNS rebinding:

1. Initial DNS lookup resolves to public IP → validation passes
2. DNS changes to private IP between validation and fetch
3. Request is made to private IP

Note: This is a pre-existing issue, not introduced by this PR, but the bypass flag makes it more relevant.

Recommendation: Consider pinning the resolved IP address or validating after the fetch completes. This is a separate enhancement and shouldn't block this PR.

6. Minor: Environment Variable Case Sensitivity

The check process.env.ALLOW_PRIVATE_NETWORKS === 'true' at line 20 is case-sensitive. Values like True, TRUE, or 1 will be treated as false.

Current Behavior: Documented correctly in tests (lines 286-302).

Recommendation: This is acceptable if intentional. Consider documenting the exact expected value format in README.

🔒 Security Assessment

Threat Model

✅ SSRF to internal metadata services (169.254.169.254): Blocked by default
✅ SSRF to internal networks (10.x, 192.168.x, 172.16-31.x): Blocked by default
✅ Protocol smuggling (file://, ftp://): Blocked regardless of flag
⚠️ DNS rebinding: Pre-existing vulnerability, not introduced by this PR
✅ Opt-in model: Requires explicit administrator action

Risk Profile

• Public deployments: No change in security posture (flag defaults to false)
• Private deployments: Intentionally exposes SSRF capability, which is acceptable for trusted networks
• Misconfiguration risk: Low (requires explicit action, clear warnings)

📝 Test Coverage

The test suite is comprehensive:

• ✅ Private IP detection (IPv4/IPv6)
• ✅ Environment variable parsing
• ✅ Protocol validation
• ✅ Real-world scenarios (AWS metadata, Docker gateway, Kubernetes)
• ✅ Edge cases (link-local, localhost variants)

Missing: Integration tests with actual server (see recommendation #2)

🎯 Recommendations Summary

Must Address (Before Merge)

1. Refactor duplicated SSRF validation logic - High priority to prevent future bugs

Should Address (Before or After Merge)

2. Add integration tests for environment variable behavior
3. Align IPv6 range checking between isPrivateIP() and SSRF validation

Nice to Have

4. Add inline comment in docker-compose.yml
5. Document exact environment variable format in README
6. Consider DNS rebinding mitigation (separate issue/PR)

✅ Conclusion

This is a well-designed and well-tested enhancement that addresses a legitimate use case while maintaining security as the default. The main concern is code duplication that should be refactored to prevent future maintenance issues.

Recommendation: Approve with request to address the SSRF validation duplication before merge.

---

Files Reviewed:

• src/server.js (lines 20, 114, 284)
• test/ssrf-protection.test.js (full file)
• README.md (new Configuration section)
• docker-compose.yml (environment variable)

[claude]

Pull Request Review

Overview

This PR removes SSRF (Server-Side Request Forgery) protection from the /api/dd and /api/synthetic-detections endpoints to support internal trusted network deployments where adsb2dd needs to fetch from local tar1090 servers.

✅ Positive Aspects

1. Clear documentation: The README additions are comprehensive and well-written, clearly explaining the security implications and providing actionable recommendations.
2. Consistent approach: SSRF protection was removed from both affected endpoints uniformly.
3. Transparent communication: The PR description clearly states this is an internal fork decision with specific use case justification.

---

🔴 Critical Issues

1. Dead Code - Unused isPrivateIP Function

Location: src/server.js:36-71

The isPrivateIP() function is now completely unused after removing the SSRF protection logic. This creates unnecessary code maintenance burden.

Issue: The function definition remains but is never called anywhere in the codebase.

Recommendation: Remove the isPrivateIP function and its associated private IP range definitions.

2. Unused Imports

Location: src/server.js:3-5, 14-15

The following imports are now unused:

• import dns from 'dns'
• import { promisify } from 'util'
• const resolve4 = promisify(dns.resolve4)
• const resolve6 = promisify(dns.resolve6)

Impact:

• Increases bundle size unnecessarily
• Creates confusion for future maintainers
• Node.js still loads unused modules

Recommendation: Remove these unused imports.

---

⚠️ Security Considerations

3. Enhanced Security Warning Needed

While the README documentation is good, consider adding:

1. Runtime warning: Add a console warning on server startup indicating SSRF protection is disabled
2. Environment variable: Consider adding an explicit ALLOW_PRIVATE_NETWORKS=true environment variable that must be set, making the security choice explicit in deployment configuration
3. Deployment checklist: Add a security checklist section to the README specifically for deployment

4. Future-Proofing Concern

The PR mentions "Can be re-evaluated during security audit" but provides no mechanism to re-enable protection. Consider:

• Adding a feature flag/environment variable structure now (even if defaulted to disabled)
• This makes future security hardening significantly easier
• Documents the intentional security decision in code, not just in git history

---

📋 Code Quality Observations

5. Testing Gap

The PR description states "All existing tests pass" but does not verify what test coverage remains for these endpoints.

Recommendation: Verify that:

• Basic endpoint functionality tests still exist and pass
• Invalid URL format tests still work
• Protocol validation tests (http/https) still function

---

🎯 Suggested Changes

// Remove these unused imports from src/server.js
- import dns from 'dns';
- import { promisify } from 'util';
- 
- const resolve4 = promisify(dns.resolve4);
- const resolve6 = promisify(dns.resolve6);

// Remove the isPrivateIP function (lines 33-71)
- function isPrivateIP(ip) {
-   // ... entire function ...
- }

Consider adding to server startup (around line 354-356):

app.listen(port, host, () => {
  console.log(`Server is running at http://${host}:${port}`);
  console.warn('⚠️  SECURITY: SSRF protection is DISABLED. Deploy only on trusted internal networks.');
});

---

📊 Summary

Category	Rating	Notes
Functionality	✅ Good	Achieves stated goal
Documentation	✅ Good	README additions are comprehensive
Code Quality	⚠️ Needs Work	Dead code and unused imports present
Security	⚠️ Acceptable	Well-documented but could benefit from runtime warnings
Maintainability	⚠️ Needs Work	Cleanup required for future maintenance

---

🎬 Recommendation

Request Changes - Address the dead code and unused imports before merging. The core approach is sound for an internal fork, but the implementation should be cleaner.

Priority fixes:

1. Remove isPrivateIP function
2. Remove unused dns and util imports
3. (Optional but recommended) Add runtime security warning

These are straightforward cleanup tasks that will take a few minutes but significantly improve code quality and maintainability.

---

Review conducted following repository conventions from CLAUDE.md. For an internal trusted network deployment, this approach is pragmatic and well-documented.

[claude]

Pull Request Review: Remove SSRF Protection for Internal Deployment

Overview

This PR removes Server-Side Request Forgery (SSRF) protection from the adsb2dd service to support internal trusted network deployments. The change removes ~184 lines of security code including private IP validation and DNS resolution checks.

---

⚠️ Critical Security Concerns

1. Complete Removal of Security Controls

Severity: High

The PR completely removes SSRF protection rather than making it configurable. This approach:

• Eliminates defense-in-depth - Even on trusted networks, defense-in-depth is a security best practice
• Creates technical debt - If this code is ever merged upstream or requirements change, SSRF protection would need to be re-implemented from scratch
• Assumes perpetual isolation - Network topology can change; services can be exposed inadvertently

Recommendation:
Consider keeping the configuration approach from the first commit (ALLOW_PRIVATE_NETWORKS env var). This:

• Maintains the security code for future use
• Makes the security posture explicit and auditable
• Allows easy re-enablement if deployment context changes
• Documents the security decision in infrastructure-as-code

2. Attack Surface on Trusted Networks

Severity: Medium

Even on internal networks, SSRF vulnerabilities enable:

• Lateral movement - An attacker with limited access could pivot to other internal services
• Cloud metadata access - If deployed on AWS/Azure/GCP, could leak credentials (169.254.169.254)
• Internal reconnaissance - Mapping internal network topology and services
• Service account abuse - Accessing Kubernetes service endpoints, Docker APIs, etc.

Real-world scenario: A compromised laptop on the internal network or a supply chain attack in a dependency could exploit this endpoint to scan and attack internal infrastructure.

---

📋 Code Quality

Positive Aspects

✅ Clean removal of dead code (dns imports, unused functions)
✅ Clear documentation in README about security implications
✅ Consistent application across both API endpoints (/api/dd and /api/synthetic-detections)
✅ Good commit hygiene (separate commits for feature → tests → removal → cleanup)

Issues Identified

1. Duplicate Validation Logic (Pre-existing)
The SSRF validation code was duplicated between two endpoints (lines 68-135 and 169-238 in the original). While this PR removes the duplication, it highlights that the codebase could benefit from shared validation utilities.

2. Test Coverage
The PR removes the ssrf-protection.test.js test suite. However, based on the diff, I don't see evidence that:

• Remaining tests still pass
• New integration tests verify that internal IPs are now accessible
• Edge cases are covered (localhost, 127.0.0.1, etc.)

Recommendation: Verify test suite passes and add a test confirming the behavior change.

---

🔒 Security Best Practices

Missing Controls

Even without SSRF protection, consider implementing:

1. Rate Limiting - Prevent abuse for network scanning
2. Request Logging - Audit trail for forensic analysis
3. Network Segmentation - Firewall rules limiting outbound connections
4. URL Allowlisting - If possible, restrict to known tar1090 server IPs
5. Authentication - Require API keys even on internal networks

Documentation Improvements

The README security section is good but could be enhanced:

## Security Posture

**Current Configuration:** SSRF protection **DISABLED** for internal network deployment

**Deployment Requirements:**
- ✅ Internal network only (no public exposure)
- ✅ Network segmentation in place
- ✅ Monitoring and alerting configured
- ⚠️  No authentication required (consider adding)
- ⚠️  No rate limiting (consider adding)

**Accepted Risks:**
- Service can be used to probe internal network
- Potential for cloud metadata service access
- No defense-in-depth for compromised clients

---

🧪 Testing Considerations

Required Tests

1. ✅ Verify existing tests pass after SSRF removal
2. ❓ Test that private IPs are now accessible (192.168.x.x, 10.x.x.x)
3. ❓ Test that localhost/127.0.0.1 work correctly
4. ❓ Integration test with actual tar1090 server on private network

Test Command

npm test

---

🎯 Recommendations

High Priority

1. Reconsider the approach - Use the ALLOW_PRIVATE_NETWORKS environment variable from commit 1 instead of complete removal
2. Add rate limiting - Even on internal networks
3. Implement request logging - For security monitoring
4. Verify test coverage - Ensure all tests pass and behavior is tested

Medium Priority

5. Add network monitoring - Alert on unusual access patterns
6. Document deployment - Create internal deployment guide with security checklist
7. Plan security review - Schedule periodic review of security posture

Low Priority

8. Consider URL allowlist - If tar1090 servers are known/static
9. Add authentication - Even simple API keys provide accountability

---

✅ Approval Recommendation

Conditional Approval - This PR is acceptable IF:

1. This is genuinely a private internal fork (not upstream)
2. Deployment is confirmed to be on isolated internal network
3. Network segmentation prevents access to sensitive services
4. Monitoring/logging is in place
5. A security review is scheduled before any production use

However, I strongly recommend:

• Reverting to the ALLOW_PRIVATE_NETWORKS environment variable approach
• This provides flexibility without sacrificing the existing security code
• Makes the security decision explicit and auditable

---

📝 Summary

Aspect	Rating	Notes
Code Quality	✅ Good	Clean removal, good documentation
Security	⚠️ Concerning	Complete removal of protection
Testing	❓ Unclear	Need to verify tests pass
Documentation	✅ Good	README clearly documents risks
Approach	⚠️ Risky	Configuration better than removal

Overall: The implementation is clean but the approach is unnecessarily risky. Using a configuration flag would provide the same functionality while maintaining defense-in-depth and future flexibility.

---

Review generated for PR #20 - offworldlabs/adsb2dd