fix: add SSRF redirect protection to httpx client factory

dgenio · dgenio · commit 542396228dee · 2026-02-28T13:28:02.000Z
Add a RedirectPolicy enum to create_mcp_http_client() that validates redirect targets via httpx event hooks. The default policy (BLOCK_SCHEME_DOWNGRADE) blocks HTTPS-to-HTTP redirect downgrades. ENFORCE_HTTPS restricts all redirects to HTTPS-only destinations. ALLOW_ALL preserves the previous unrestricted behavior. Github-Issue: #2106
diff --git a/src/mcp/shared/_httpx_utils.py b/src/mcp/shared/_httpx_utils.py
@@ -1,41 +1,115 @@
 """Utilities for creating standardized httpx AsyncClient instances."""
 
+import logging
+from enum import Enum
 from typing import Any, Protocol
 
 import httpx
 
-__all__ = ["create_mcp_http_client", "MCP_DEFAULT_TIMEOUT", "MCP_DEFAULT_SSE_READ_TIMEOUT"]
+logger = logging.getLogger(__name__)
+
+__all__ = [
+    "MCP_DEFAULT_SSE_READ_TIMEOUT",
+    "MCP_DEFAULT_TIMEOUT",
+    "RedirectPolicy",
+    "create_mcp_http_client",
+]
 
 # Default MCP timeout configuration
 MCP_DEFAULT_TIMEOUT = 30.0  # General operations (seconds)
 MCP_DEFAULT_SSE_READ_TIMEOUT = 300.0  # SSE streams - 5 minutes (seconds)
 
 
+class RedirectPolicy(Enum):
+    """Policy for validating HTTP redirects to protect against SSRF attacks.
+
+    Attributes:
+        ALLOW_ALL: No restrictions on redirects (legacy behavior).
+        BLOCK_SCHEME_DOWNGRADE: Block HTTPS-to-HTTP downgrades on redirect (default).
+        ENFORCE_HTTPS: Only allow HTTPS redirect destinations.
+    """
+
+    ALLOW_ALL = "allow_all"
+    BLOCK_SCHEME_DOWNGRADE = "block_scheme_downgrade"
+    ENFORCE_HTTPS = "enforce_https"
+
+
+async def _check_redirect(response: httpx.Response, policy: RedirectPolicy) -> None:
+    """Validate redirect responses against the configured policy.
+
+    This is installed as an httpx response event hook. It inspects redirect
+    responses (3xx with a ``next_request``) and raises
+    :class:`httpx.HTTPStatusError` when the redirect violates *policy*.
+
+    Args:
+        response: The httpx response to check.
+        policy: The redirect policy to enforce.
+    """
+    if not response.is_redirect or response.next_request is None:
+        return
+
+    original_url = response.request.url
+    redirect_url = response.next_request.url
+
+    if policy == RedirectPolicy.BLOCK_SCHEME_DOWNGRADE:
+        if original_url.scheme == "https" and redirect_url.scheme == "http":
+            logger.warning(
+                "Blocked HTTPS-to-HTTP redirect from %s to %s",
+                original_url,
+                redirect_url,
+            )
+            raise httpx.HTTPStatusError(
+                f"HTTPS-to-HTTP redirect blocked: {original_url} -> {redirect_url}",
+                request=response.request,
+                response=response,
+            )
+    elif policy == RedirectPolicy.ENFORCE_HTTPS:
+        if redirect_url.scheme != "https":
+            logger.warning(
+                "Blocked non-HTTPS redirect from %s to %s",
+                original_url,
+                redirect_url,
+            )
+            raise httpx.HTTPStatusError(
+                f"Non-HTTPS redirect blocked: {original_url} -> {redirect_url}",
+                request=response.request,
+                response=response,
+            )
+
+
 class McpHttpClientFactory(Protocol):  # pragma: no branch
     def __call__(  # pragma: no branch
         self,
         headers: dict[str, str] | None = None,
         timeout: httpx.Timeout | None = None,
         auth: httpx.Auth | None = None,
+        redirect_policy: RedirectPolicy = RedirectPolicy.BLOCK_SCHEME_DOWNGRADE,
     ) -> httpx.AsyncClient: ...
 
 
 def create_mcp_http_client(
     headers: dict[str, str] | None = None,
     timeout: httpx.Timeout | None = None,
     auth: httpx.Auth | None = None,
+    redirect_policy: RedirectPolicy = RedirectPolicy.BLOCK_SCHEME_DOWNGRADE,
 ) -> httpx.AsyncClient:
     """Create a standardized httpx AsyncClient with MCP defaults.
 
     This function provides common defaults used throughout the MCP codebase:
     - follow_redirects=True (always enabled)
     - Default timeout of 30 seconds if not specified
+    - SSRF redirect protection via *redirect_policy*
 
     Args:
         headers: Optional headers to include with all requests.
         timeout: Request timeout as httpx.Timeout object.
             Defaults to 30 seconds if not specified.
         auth: Optional authentication handler.
+        redirect_policy: Policy controlling which redirects are allowed.
+            Defaults to ``RedirectPolicy.BLOCK_SCHEME_DOWNGRADE`` which blocks
+            HTTPS-to-HTTP downgrades.  Use ``RedirectPolicy.ENFORCE_HTTPS`` to
+            only allow HTTPS destinations, or ``RedirectPolicy.ALLOW_ALL`` to
+            disable redirect validation entirely (legacy behavior).
 
     Returns:
         Configured httpx.AsyncClient instance with MCP defaults.
@@ -94,4 +168,12 @@ def create_mcp_http_client(
     if auth is not None:  # pragma: no cover
         kwargs["auth"] = auth
 
+    # Install redirect validation hook
+    if redirect_policy != RedirectPolicy.ALLOW_ALL:
+
+        async def check_redirect_hook(response: httpx.Response) -> None:
+            await _check_redirect(response, redirect_policy)
+
+        kwargs["event_hooks"] = {"response": [check_redirect_hook]}
+
     return httpx.AsyncClient(**kwargs)
diff --git a/tests/shared/test_httpx_utils.py b/tests/shared/test_httpx_utils.py
@@ -1,8 +1,11 @@
 """Tests for httpx utility functions."""
 
 import httpx
+import pytest
 
-from mcp.shared._httpx_utils import create_mcp_http_client
+from mcp.shared._httpx_utils import RedirectPolicy, _check_redirect, create_mcp_http_client
+
+pytestmark = pytest.mark.anyio
 
 
 def test_default_settings():
@@ -22,3 +25,142 @@ def test_custom_parameters():
 
     assert client.headers["Authorization"] == "Bearer token"
     assert client.timeout.connect == 60.0
+
+
+def test_default_redirect_policy():
+    """Test that the default redirect policy is BLOCK_SCHEME_DOWNGRADE."""
+    client = create_mcp_http_client()
+    # Event hooks should be installed for the default policy
+    assert len(client.event_hooks["response"]) == 1
+
+
+def test_allow_all_policy_no_hooks():
+    """Test that ALLOW_ALL does not install event hooks."""
+    client = create_mcp_http_client(redirect_policy=RedirectPolicy.ALLOW_ALL)
+    assert len(client.event_hooks["response"]) == 0
+
+
+# --- _check_redirect unit tests ---
+
+
+async def test_check_redirect_ignores_non_redirect():
+    """Test that non-redirect responses are ignored."""
+    response = httpx.Response(200, request=httpx.Request("GET", "https://example.com"))
+    # Should not raise
+    await _check_redirect(response, RedirectPolicy.BLOCK_SCHEME_DOWNGRADE)
+    await _check_redirect(response, RedirectPolicy.ENFORCE_HTTPS)
+
+
+async def test_check_redirect_ignores_redirect_without_next_request():
+    """Test that redirect responses without next_request are ignored."""
+    response = httpx.Response(
+        302,
+        headers={"Location": "http://evil.com"},
+        request=httpx.Request("GET", "https://example.com"),
+    )
+    # next_request is None on a manually constructed response
+    assert response.next_request is None
+    await _check_redirect(response, RedirectPolicy.BLOCK_SCHEME_DOWNGRADE)
+
+
+# --- BLOCK_SCHEME_DOWNGRADE tests ---
+
+
+async def test_block_scheme_downgrade_blocks_https_to_http():
+    """Test BLOCK_SCHEME_DOWNGRADE blocks HTTPS->HTTP redirect."""
+    response = httpx.Response(
+        302,
+        headers={"Location": "http://evil.com"},
+        request=httpx.Request("GET", "https://example.com"),
+    )
+    response.next_request = httpx.Request("GET", "http://evil.com")
+
+    with pytest.raises(httpx.HTTPStatusError, match="HTTPS-to-HTTP redirect blocked"):
+        await _check_redirect(response, RedirectPolicy.BLOCK_SCHEME_DOWNGRADE)
+
+
+async def test_block_scheme_downgrade_allows_https_to_https():
+    """Test BLOCK_SCHEME_DOWNGRADE allows HTTPS->HTTPS redirect."""
+    response = httpx.Response(
+        302,
+        headers={"Location": "https://other.com"},
+        request=httpx.Request("GET", "https://example.com"),
+    )
+    response.next_request = httpx.Request("GET", "https://other.com")
+    await _check_redirect(response, RedirectPolicy.BLOCK_SCHEME_DOWNGRADE)
+
+
+async def test_block_scheme_downgrade_allows_http_to_http():
+    """Test BLOCK_SCHEME_DOWNGRADE allows HTTP->HTTP redirect."""
+    response = httpx.Response(
+        302,
+        headers={"Location": "http://other.com"},
+        request=httpx.Request("GET", "http://example.com"),
+    )
+    response.next_request = httpx.Request("GET", "http://other.com")
+    await _check_redirect(response, RedirectPolicy.BLOCK_SCHEME_DOWNGRADE)
+
+
+async def test_block_scheme_downgrade_allows_http_to_https():
+    """Test BLOCK_SCHEME_DOWNGRADE allows HTTP->HTTPS upgrade."""
+    response = httpx.Response(
+        302,
+        headers={"Location": "https://other.com"},
+        request=httpx.Request("GET", "http://example.com"),
+    )
+    response.next_request = httpx.Request("GET", "https://other.com")
+    await _check_redirect(response, RedirectPolicy.BLOCK_SCHEME_DOWNGRADE)
+
+
+# --- ENFORCE_HTTPS tests ---
+
+
+async def test_enforce_https_blocks_http_target():
+    """Test ENFORCE_HTTPS blocks any HTTP redirect target."""
+    response = httpx.Response(
+        302,
+        headers={"Location": "http://evil.com"},
+        request=httpx.Request("GET", "https://example.com"),
+    )
+    response.next_request = httpx.Request("GET", "http://evil.com")
+
+    with pytest.raises(httpx.HTTPStatusError, match="Non-HTTPS redirect blocked"):
+        await _check_redirect(response, RedirectPolicy.ENFORCE_HTTPS)
+
+
+async def test_enforce_https_blocks_http_to_http():
+    """Test ENFORCE_HTTPS blocks HTTP->HTTP redirect."""
+    response = httpx.Response(
+        302,
+        headers={"Location": "http://other.com"},
+        request=httpx.Request("GET", "http://example.com"),
+    )
+    response.next_request = httpx.Request("GET", "http://other.com")
+
+    with pytest.raises(httpx.HTTPStatusError, match="Non-HTTPS redirect blocked"):
+        await _check_redirect(response, RedirectPolicy.ENFORCE_HTTPS)
+
+
+async def test_enforce_https_allows_https_target():
+    """Test ENFORCE_HTTPS allows HTTPS redirect target."""
+    response = httpx.Response(
+        302,
+        headers={"Location": "https://other.com"},
+        request=httpx.Request("GET", "https://example.com"),
+    )
+    response.next_request = httpx.Request("GET", "https://other.com")
+    await _check_redirect(response, RedirectPolicy.ENFORCE_HTTPS)
+
+
+# --- ALLOW_ALL tests ---
+
+
+async def test_allow_all_permits_https_to_http():
+    """Test ALLOW_ALL permits HTTPS->HTTP redirect."""
+    response = httpx.Response(
+        302,
+        headers={"Location": "http://evil.com"},
+        request=httpx.Request("GET", "https://example.com"),
+    )
+    response.next_request = httpx.Request("GET", "http://evil.com")
+    await _check_redirect(response, RedirectPolicy.ALLOW_ALL)
