security(backends): reject SSRF-prone backend URLs (H1)

[lewiswigmore]

Summary

Closes H1 from the security review (issue #51).

A hostile config/backends.yaml entry could point the health monitor or cleanup client at the cloud metadata service (169.254.169.254), link-local hosts, multicast ranges, or unsupported schemes (file://, gopher://) that httpx will still happily dispatch. None of those are legitimate cleanup backends, and the metadata-service path is the most common SSRF post-exploitation step on cloud-hosted machines.

Approach

Single chokepoint: dictate/safety.py::validate_backend_url called from BackendSpec.__post_init__. Every site that obtains a spec (health pings, dashboard probe, cleanup POSTs) is now validated by construction.

Allowed

• http / https only
• Loopback (127.0.0.0/8, ::1, localhost)
• RFC1918 (10/8, 172.16/12, 192.168/16) — users legitimately host Ollama on the LAN

Blocked

• Link-local (169.254.0.0/16, fe80::/10) — catches AWS/GCP IMDS
• Multicast (224.0.0.0/4)
• Unspecified (0.0.0.0, ::)
• IANA-reserved
• CGNAT (100.64.0.0/10)
• Hostnames ending .internal or .local (cloud service-meshes, mDNS)
• Non-http(s) schemes

UX

health.py catches the ValueError and surfaces backend url rejected: <reason> as a per-backend status entry so the menubar shows the failure instead of silently dying inside the monitor thread.

Tests

• 20 new unit tests in tests/test_safety.py (parametrised allow/block + a BackendSpec-level smoke test)
• pytest: 322 passed
• ruff check + ruff format --check on touched files: clean

[sebastionai]

Pre-merge checks · ✅ 2 · ⚠ 0 · ❌ 0 · ⏭ 1

Check	Status	Reason
PR title	✅	The title clearly describes the specific security change being made.
Description	✅	The body thoroughly explains what, why and how including the threat model and testing details.
Linked issue	⏭	No linked issues were provided.

[sebastionai]

Walkthrough

Adds SSRF protection by validating backend URLs against blocked IP ranges and schemes. A new safety module rejects link-local, multicast, unspecified, reserved and non-HTTP URLs while allowing loopback and RFC1918 addresses. Validation is enforced at BackendSpec construction so all consumers are protected. The health monitor surfaces rejection errors in its status output.

Changes

File	Summary
SSRF validation dictate/safety.py, dictate/config.py	Introduces validate_backend_url and calls it from BackendSpec.post_init to block dangerous URLs at construction time.
Health monitor error handling dictate/health.py	Catches ValueError from backend lookup and reports a descriptive rejection status instead of crashing the monitor thread.
Tests tests/test_safety.py	Adds parametrised tests covering allowed and blocked URLs plus a BackendSpec integration smoke test.

🎯 Effort: 2 (Simple) · ⏱ ~12 minutes

_{Generated by Sebastion AI · docs}

[sebastionai]

🔒 Sebastion AI — security audit complete.

No exploitable findings on this diff. ✅

_{Audited by Sebastion AI · docs · install on more repos}

[sebastiondev]

Approved. Closes H1. Single validation chokepoint in BackendSpec.post_init covers health.py, dashboard probe, and cleanup POSTs. Allow/block matrix is reasonable (loopback + RFC1918 yes, link-local + multicast + .internal no). 20 unit tests, full suite green.

[Copilot]

Copilot encountered an error and was unable to review this pull request. You can try again by re-requesting a review.