fix(mcp): guard OAuth discovery and token revocation against SSRF

Route discoverOAuthServerInfo and the RFC 7009 revocation POST through an
SSRF-guarded fetch that validates every request URL via validateMcpServerSsrf
(blocking private/reserved/loopback targets, honoring ALLOWED_MCP_DOMAINS and
self-hosted localhost rules) and pins the connection to the resolved IP to
prevent DNS-rebinding TOCTOU. Previously these fetches used unvalidated global
fetch against URLs taken verbatim from attacker-controllable
authorization-server metadata.

Author: waleedlatif1

apps/sim/lib/mcp/oauth/revoke.ts

@@ -1,11 +1,13 @@
 import { discoverOAuthServerInfo } from '@modelcontextprotocol/sdk/client/auth.js'
+import type { FetchLike } from '@modelcontextprotocol/sdk/shared/transport.js'
 import { db } from '@sim/db'
 import { mcpServers } from '@sim/db/schema'
 import { createLogger } from '@sim/logger'
 import { toError } from '@sim/utils/errors'
 import { eq } from 'drizzle-orm'
 import { decryptSecret } from '@/lib/core/security/encryption'
 import { loadOauthRow } from '@/lib/mcp/oauth/storage'
+import { createSsrfGuardedMcpFetch } from '@/lib/mcp/pinned-fetch'
 
 const logger = createLogger('McpOauthRevoke')
 const REVOKE_TIMEOUT_MS = 5000
@@ -30,7 +32,10 @@ export async function revokeMcpOauthTokens(mcpServerId: string): Promise<void> {
       .limit(1)
     if (!server?.url) return
 
-    const info = await discoverOAuthServerInfo(server.url).catch(() => undefined)
+    const ssrfGuardedFetch = createSsrfGuardedMcpFetch()
+    const info = await discoverOAuthServerInfo(server.url, { fetchFn: ssrfGuardedFetch }).catch(
+      () => undefined
+    )
     const metadata = info?.authorizationServerMetadata as
       | (Record<string, unknown> & { revocation_endpoint?: string })
       | undefined
@@ -60,7 +65,7 @@ export async function revokeMcpOauthTokens(mcpServerId: string): Promise<void> {
     }
 
     for (const { token, hint } of tokensToRevoke) {
-      await postRevoke(revocationEndpoint, token, hint, clientId, clientSecret)
+      await postRevoke(revocationEndpoint, token, hint, clientId, clientSecret, ssrfGuardedFetch)
     }
   } catch (error) {
     logger.warn(`Token revocation failed for server ${mcpServerId}`, {
@@ -74,7 +79,8 @@ async function postRevoke(
   token: string,
   hint: 'refresh_token' | 'access_token',
   clientId: string,
-  clientSecret: string | undefined
+  clientSecret: string | undefined,
+  fetchFn: FetchLike
 ): Promise<void> {
   const controller = new AbortController()
   const timer = setTimeout(() => controller.abort(), REVOKE_TIMEOUT_MS)
@@ -89,7 +95,7 @@ async function postRevoke(
     } else {
       params.set('client_id', clientId)
     }
-    const res = await fetch(endpoint, {
+    const res = await fetchFn(endpoint, {
       method: 'POST',
       headers,
       body: params.toString(),

apps/sim/lib/mcp/pinned-fetch.test.ts

@@ -25,12 +25,23 @@ const { mockAgent, mockCreatePinnedLookup, mockUndiciFetch, capturedAgentOptions
     }
   })
 
+const { mockValidateMcpServerSsrf } = vi.hoisted(() => ({
+  mockValidateMcpServerSsrf: vi.fn(),
+}))
+
 vi.mock('undici', () => ({ Agent: mockAgent, fetch: mockUndiciFetch }))
 vi.mock('@/lib/core/security/input-validation.server', () => ({
   createPinnedLookup: mockCreatePinnedLookup,
 }))
+vi.mock('@/lib/mcp/domain-check', () => ({
+  validateMcpServerSsrf: mockValidateMcpServerSsrf,
+}))
 
-import { __resetPinnedAgentsForTests, createMcpPinnedFetch } from '@/lib/mcp/pinned-fetch'
+import {
+  __resetPinnedAgentsForTests,
+  createMcpPinnedFetch,
+  createSsrfGuardedMcpFetch,
+} from '@/lib/mcp/pinned-fetch'
 
 describe('createMcpPinnedFetch', () => {
   beforeEach(() => {
@@ -125,3 +136,45 @@ describe('createMcpPinnedFetch', () => {
     expect(mockUndiciFetch).toHaveBeenCalledTimes(1)
   })
 })
+
+describe('createSsrfGuardedMcpFetch', () => {
+  beforeEach(() => {
+    vi.clearAllMocks()
+    capturedAgentOptions.length = 0
+    __resetPinnedAgentsForTests()
+    mockCreatePinnedLookup.mockReturnValue('pinned-lookup-fn')
+    mockUndiciFetch.mockResolvedValue(new Response('ok'))
+  })
+
+  it('validates each request URL and pins to the resolved IP', async () => {
+    mockValidateMcpServerSsrf.mockResolvedValue('203.0.113.10')
+    const fetchLike = createSsrfGuardedMcpFetch()
+    await fetchLike('https://attacker.example/revoke', { method: 'POST' })
+
+    expect(mockValidateMcpServerSsrf).toHaveBeenCalledWith('https://attacker.example/revoke')
+    expect(mockUndiciFetch).toHaveBeenCalledTimes(1)
+    const [url, init] = mockUndiciFetch.mock.calls[0]
+    expect(url).toBe('https://attacker.example/revoke')
+    expect((init as { dispatcher?: unknown }).dispatcher).toBeInstanceOf(mockAgent)
+    expect((init as { method?: string }).method).toBe('POST')
+  })
+
+  it('rejects URLs that resolve to blocked IPs without issuing the request', async () => {
+    mockValidateMcpServerSsrf.mockRejectedValue(new Error('blocked'))
+    const fetchLike = createSsrfGuardedMcpFetch()
+
+    await expect(
+      fetchLike('http://169.254.169.254/latest/meta-data/', { method: 'POST' })
+    ).rejects.toThrow('blocked')
+    expect(mockUndiciFetch).not.toHaveBeenCalled()
+  })
+
+  it('accepts URL objects and validates their href', async () => {
+    mockValidateMcpServerSsrf.mockResolvedValue('203.0.113.10')
+    const fetchLike = createSsrfGuardedMcpFetch()
+    await fetchLike(new URL('https://attacker.example/discover'))
+
+    expect(mockValidateMcpServerSsrf).toHaveBeenCalledWith('https://attacker.example/discover')
+    expect(mockUndiciFetch).toHaveBeenCalledTimes(1)
+  })
+})

apps/sim/lib/mcp/pinned-fetch.ts

@@ -1,6 +1,7 @@
 import type { FetchLike } from '@modelcontextprotocol/sdk/shared/transport.js'
 import { Agent, type RequestInit as UndiciRequestInit, fetch as undiciFetch } from 'undici'
 import { createPinnedLookup } from '@/lib/core/security/input-validation.server'
+import { validateMcpServerSsrf } from '@/lib/mcp/domain-check'
 
 /**
  * Pins outbound HTTP connections to a pre-resolved IP to prevent DNS-rebinding
@@ -54,3 +55,25 @@ export function createMcpPinnedFetch(resolvedIP: string): FetchLike {
     return response as unknown as Response
   }) satisfies FetchLike
 }
+
+/**
+ * Builds a `FetchLike` that validates every outbound request URL against the
+ * MCP SSRF policy before issuing it, then pins the connection to the resolved
+ * IP. Unlike the live transport — where the server URL is validated once up
+ * front — OAuth discovery and RFC 7009 revocation follow URLs taken verbatim
+ * from attacker-controllable authorization-server metadata
+ * (`authorization_servers`, `token_endpoint`, `revocation_endpoint`, …). Each
+ * such hop must be re-validated, so this guard runs `validateMcpServerSsrf`
+ * per request and rejects private/reserved/loopback targets (honoring
+ * `ALLOWED_MCP_DOMAINS` and self-hosted localhost rules).
+ *
+ * @throws McpSsrfError if a request URL resolves to a blocked IP address
+ */
+export function createSsrfGuardedMcpFetch(): FetchLike {
+  return (async (url, init) => {
+    const target = typeof url === 'string' ? url : url.href
+    const resolvedIP = await validateMcpServerSsrf(target)
+    const pinnedFetch: FetchLike = resolvedIP ? createMcpPinnedFetch(resolvedIP) : globalThis.fetch
+    return pinnedFetch(url, init)
+  }) satisfies FetchLike
+}