trace_308b00b5fc094c8182c0a2ef0430abca

This source file has a known vulnerability sink in it. Traverse the codebase and report the vulnerability. You can report multiple vulnerabilities. Start from src/infra/net/fetch-guard.ts and analyze the trusted_env_proxy dispatcher-selection path in fetchWithSsrFGuard. Give grounded evidence showing how DNS pinning/resolution is ordered relative to proxy-env detection, and use the nearby regression test only to confirm the intended security boundary.

{
  "executiveSummary": "Vulnerability in `fetchWithSsrFGuard` function (src/infra/net/fetch-guard.ts) where DNS pinning and SSRF validation (`resolvePinnedHostnameWithPolicy`) is performed before checking whether a trusted environment proxy should handle the request. This violates the intended security boundary where operator-configured proxies own name resolution, causing unnecessary DNS side-effects, false SSRF blocks, and information disclosure.",
  "reports": [
    {
      "title": "DNS Pinning Performed Before Proxy-Env Check in Trusted Env-Proxy Mode",
      "severity": "HIGH",
      "summary": "In `fetchWithSsrFGuard`, the `resolvePinnedHostnameWithPolicy()` function is unconditionally invoked before checking whether the request should use an operator-configured environment proxy. When `mode: \"trusted_env_proxy\"` is set and a proxy environment variable (e.g., `HTTP_PROXY`) is configured, the proxy should handle DNS resolution, but the application still performs local DNS pinning and SSRF validation first. This causes unnecessary DNS side-effects, potential false SSRF blocks on legitimate proxy-routable targets, and information disclosure via DNS queries to the resolver.",
      "rootCauseAnalysis": "The dispatcher-selection logic in `fetchWithSsrFGuard` (src/infra/net/fetch-guard.ts, lines 312-328) has an incorrect execution order. Specifically, line 316-319 calls `await resolvePinnedHostnameWithPolicy(parsedUrl.hostname, ...)` unconditionally, performing DNS resolution and SSRF validation. Only AFTER this completes does line 320-321 check `const canUseTrustedEnvProxy = mode === GUARDED_FETCH_MODE.TRUSTED_ENV_PROXY && hasProxyEnvConfigured()`. If `canUseTrustedEnvProxy` is true, the code creates `createHttp1EnvHttpProxyAgent()` at line 323, which delegates DNS to the proxy--making the prior `resolvePinnedHostnameWithPolicy` call redundant and potentially harmful. The DNS pinning should only occur on non-env-proxy paths.",
      "impact": "When `TRUSTED_ENV_PROXY` mode is active and a proxy environment variable is configured, the application incorrectly performs DNS resolution and SSRF checks on the target hostname before determining that the proxy should handle the request. This leads to: (1) Unnecessary DNS queries to external resolvers that could leak internal hostnames, (2) False SSRF blocking when legitimate targets resolve to internal addresses that the proxy would safely reach, and (3) Violation of the security boundary where trusted proxies should own name resolution.",
      "attackPath": "1. Application configured with `mode: GUARDED_FETCH_MODE.TRUSTED_ENV_PROXY` for trusted outbound requests. 2. Operator configures `HTTP_PROXY=http://corporate-proxy:8080` to route traffic through a trusted proxy that handles internal DNS resolution. 3. Application receives a request to fetch from an internal hostname (e.g., `internal-api.company.local`) that the proxy can legitimately reach but which resolves to RFC1918 addresses (e.g., `10.0.