Skip to content

fix(security): SSRF via AgentCard URL and context ID Injection (A2A-SSRF-01, A2A-INJ-01) #895

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
amit-raut wants to merge 8 commits into
base: main
Choose a base branch
from
Open

fix(security): SSRF via AgentCard URL and context ID Injection (A2A-SSRF-01, A2A-INJ-01) #895

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
8 commits
Select commit Hold shift + click to select a range
4e72411
fix(security): SSRF via AgentCard URL and context ID Injection (A2A-S…
amit-raut Mar 25, 2026
ac279fe
fix: address review feedback and add tests
amit-raut Mar 27, 2026
4dbb24e
fix(tests): add url attr to AgentCard mocks in test_card_resolver
amit-raut Mar 27, 2026
5056608
fix(ci): resolve JSCPD duplicate and spell-check failures
amit-raut Mar 27, 2026
8c73b03
style: apply ruff formatting to all changed files
amit-raut Mar 27, 2026
8a434d8
fix(ci): correct ruff lint errors and Python 3.10 syntax in security …
amit-raut Mar 28, 2026
681a49f
fix(lint): fix import order in card_resolver.py (I001)
amit-raut Mar 28, 2026
da41f5f
fix(lint): format tests/conftest.py (ruff format)
amit-raut Mar 28, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
6 changes: 6 additions & 0 deletions .github/actions/spelling/allow.txt
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -94,3 +94,9 @@ Tful
tiangolo
typeerror
vulnz
ASSRF
canonname
gaierror
IMDS
INJ
sockaddr
26 changes: 22 additions & 4 deletions src/a2a/client/card_resolver.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -16,6 +16,10 @@
AgentCard,
)
from a2a.utils.constants import AGENT_CARD_WELL_KNOWN_PATH
from a2a.utils.url_validation import (
A2ASSRFValidationError,
validate_agent_card_url,
)


logger = logging.getLogger(__name__)
Expand Down Expand Up @@ -65,11 +69,10 @@ async def get_agent_card(

Raises:
A2AClientHTTPError: If an HTTP error occurs during the request.
A2AClientJSONError: If the response body cannot be decoded as JSON
or validated against the AgentCard schema.
A2AClientJSONError: If the response body cannot be decoded as JSON,
validated against the AgentCard schema, or fails SSRF URL validation.
"""
if not relative_card_path:
# Use the default public agent card path configured during initialization
path_segment = self.agent_card_path
else:
path_segment = relative_card_path.lstrip('/')
Expand All @@ -89,8 +92,23 @@ async def get_agent_card(
agent_card_data,
)
agent_card = AgentCard.model_validate(agent_card_data)

# Validate card.url before returning (fix for A2A-SSRF-01).
# Without this check, any caller who controls the card endpoint
# can redirect all subsequent RPC calls to an internal address.
try:
validate_agent_card_url(agent_card.url)
# Also validate any additional transport URLs declared in the card.
for iface in agent_card.additional_interfaces or []:
validate_agent_card_url(iface.url)
except A2ASSRFValidationError as e:
raise A2AClientJSONError(
f'AgentCard from {target_url} failed SSRF URL validation: {e}'
) from e

if signature_verifier:
signature_verifier(agent_card)

except httpx.HTTPStatusError as e:
raise A2AClientHTTPError(
e.response.status_code,
Expand All @@ -105,7 +123,7 @@ async def get_agent_card(
503,
f'Network communication error fetching agent card from {target_url}: {e}',
) from e
except ValidationError as e: # Pydantic validation error
except ValidationError as e:
raise A2AClientJSONError(
f'Failed to validate agent card structure from {target_url}: {e.json()}'
) from e
Expand Down
Loading
Loading