USEC-3 [FIX] Add URL security validation for adapter configurations

backend/adapter_processor_v2/adapter_processor.py

@@ -6,8 +6,13 @@
 from cryptography.fernet import Fernet
 from django.conf import settings
 from django.core.exceptions import ObjectDoesNotExist
-from platform_settings_v2.platform_auth_service import PlatformAuthenticationService
-from tenant_account_v2.organization_member_service import OrganizationMemberService
+from platform_settings_v2.platform_auth_service import (
+    PlatformAuthenticationService,
+)
+from rest_framework.exceptions import ValidationError
+from tenant_account_v2.organization_member_service import (
+    OrganizationMemberService,
+)
 
 from adapter_processor_v2.constants import AdapterKeys, AllowedDomains
 from adapter_processor_v2.exceptions import (
@@ -27,7 +32,9 @@
 logger = logging.getLogger(__name__)
 
 try:
-    from plugins.subscription.time_trials.subscription_adapter import add_unstract_key
+    from plugins.subscription.time_trials.subscription_adapter import (
+        add_unstract_key,
+    )
 except ImportError:
     add_unstract_key = None
 
@@ -92,8 +99,6 @@ def get_adapter_data_with_key(adapter_id: str, key_value: str) -> Any:
     def test_adapter(adapter_id: str, adapter_metadata: dict[str, Any]) -> bool:
         logger.info(f"Testing adapter: {adapter_id}")
         try:
-            adapter_class = Adapterkit().get_adapter_class_by_adapter_id(adapter_id)
-
             if adapter_metadata.pop(AdapterKeys.ADAPTER_TYPE) == AdapterKeys.X2TEXT:
                 if (
                     adapter_metadata.get(AdapterKeys.PLATFORM_PROVIDED_UNSTRACT_KEY)
@@ -107,7 +112,17 @@ def test_adapter(adapter_id: str, adapter_metadata: dict[str, Any]) -> bool:
                     platform_key.key
                 )
 
-            adapter_instance = adapter_class(adapter_metadata)
+            # Validate URLs for this adapter configuration
+            try:
+                adapter_instance = AdapterProcessor.validate_adapter_urls(
+                    adapter_id, adapter_metadata
+                )
+            except Exception as e:
+                # Format error message similar to test adapter API
+                adapter_name = adapter_metadata.get(AdapterKeys.ADAPTER_NAME, "adapter")
+                error_detail = f"Error testing '{adapter_name}'. {e!s}"
+                raise ValidationError(error_detail) from e
+            # adapter_instance = adapter_class(adapter_metadata)
             test_result: bool = adapter_instance.test_connection()
             return test_result
         except SdkError as e:
@@ -130,6 +145,36 @@ def update_adapter_metadata(adapter_metadata_b: Any, **kwargs) -> Any:
             return adapter_metadata_b
         return adapter_metadata_b
 
+    @staticmethod
+    def validate_adapter_urls(adapter_id: str, adapter_metadata: dict) -> Adapter:
+        """Validate URLs for an adapter configuration without full connection test.
+
+        This method only validates URLs for security (SSRF protection) without
+        attempting actual network connections.
+
+        Args:
+            adapter_id: The adapter ID (e.g., "postgres|70ab6cc2...")
+            adapter_metadata: The adapter configuration metadata
+
+        Returns:
+            Adapter: The adapter instance if validation passes
+
+        Raises:
+            AdapterError: If URL validation fails due to security violations
+        """
+        try:
+            # Get the adapter class
+            adapterkit = Adapterkit()
+            adapter_class = adapterkit.get_adapter_class_by_adapter_id(adapter_id)
+
+            # Create a temporary instance just to get configured URLs
+            # This will trigger URL validation in __init__ but not full connection test
+            return adapter_class(adapter_metadata)
+
+        except Exception as e:
+            logger.error(f"URL validation failed for adapter {adapter_id}: {str(e)}")
+            raise
+
     @staticmethod
     def __fetch_adapters_by_key_value(key: str, value: Any) -> Adapter:
         """Fetches a list of adapters that have an attribute matching key and

backend/adapter_processor_v2/views.py

@@ -1,7 +1,10 @@
+import json
 import logging
 import uuid
 from typing import Any
 
+from cryptography.fernet import Fernet
+from django.conf import settings
 from django.db import IntegrityError
 from django.db.models import ProtectedError, QuerySet
 from django.http import HttpRequest
@@ -14,12 +17,15 @@
 )
 from rest_framework import status
 from rest_framework.decorators import action
+from rest_framework.exceptions import ValidationError
 from rest_framework.request import Request
 from rest_framework.response import Response
 from rest_framework.serializers import ModelSerializer
 from rest_framework.versioning import URLPathVersioning
 from rest_framework.viewsets import GenericViewSet, ModelViewSet
-from tenant_account_v2.organization_member_service import OrganizationMemberService
+from tenant_account_v2.organization_member_service import (
+    OrganizationMemberService,
+)
 from utils.filtering import FilterHelper
 
 from adapter_processor_v2.adapter_processor import AdapterProcessor
@@ -177,6 +183,57 @@ def create(self, request: Any) -> Response:
             use_platform_unstract_key = True
 
         serializer.is_valid(raise_exception=True)
+
+        # Validate URLs for security without full adapter testing
+        adapter_id = serializer.validated_data.get(AdapterKeys.ADAPTER_ID)
+        adapter_metadata_b = serializer.validated_data.get(AdapterKeys.ADAPTER_METADATA_B)
+
+        if not adapter_metadata_b:
+            raise ValidationError("Missing adapter metadata for validation.")
+
+        # Decrypt metadata to get configuration
+        try:
+        # Validate URLs for security without full adapter testing
+        adapter_id = serializer.validated_data.get(AdapterKeys.ADAPTER_ID)
+        adapter_metadata_b = serializer.validated_data.get(AdapterKeys.ADAPTER_METADATA_B)
+
+        from rest_framework.exceptions import ValidationError
+        if not adapter_metadata_b:
+            raise ValidationError("Missing adapter metadata for validation.")
+
+        # Decrypt metadata to get configuration
+        try:
+            fernet = Fernet(settings.ENCRYPTION_KEY.encode("utf-8"))
+            decrypted_json = fernet.decrypt(adapter_metadata_b)
+            decrypted_metadata = json.loads(decrypted_json.decode("utf-8"))
+            # Ensure object shape
+            from rest_framework.exceptions import ValidationError
+            if not isinstance(decrypted_metadata, dict):
+                raise ValidationError("Invalid adapter metadata format: expected JSON object.")
+        except Exception as e:  # InvalidToken/JSONDecodeError/TypeError/etc.
+            raise ValidationError("Invalid adapter metadata.") from e
+
+        # Validate URLs for this adapter configuration
+        try:
+            _ = AdapterProcessor.validate_adapter_urls(adapter_id, decrypted_metadata)
+        except Exception as e:
+            # Format error message similar to test adapter API
+            adapter_name = (
+                decrypted_metadata.get(AdapterKeys.ADAPTER_NAME, "adapter")
+                if isinstance(decrypted_metadata, dict)
+                else "adapter"
+            )
+            error_detail = f"Error testing '{adapter_name}'. {e!s}"
+            raise ValidationError(error_detail) from e
+
+        # Validate URLs for this adapter configuration
+        try:
+            AdapterProcessor.validate_adapter_urls(adapter_id, decrypted_metadata)
+        except Exception as e:
+            # Format error message similar to test adapter API
+            adapter_name = decrypted_metadata.get(AdapterKeys.ADAPTER_NAME, "adapter")
+            error_detail = f"Error testing '{adapter_name}'. {e!s}"
+            raise ValidationError(error_detail) from e
         try:
             adapter_type = serializer.validated_data.get(AdapterKeys.ADAPTER_TYPE)
 
@@ -359,6 +416,40 @@ def update(
         # Get the adapter instance for update
         adapter = self.get_object()
 
+        # Get serializer and validate data first
+        serializer = self.get_serializer(adapter, data=request.data, partial=True)
+        serializer.is_valid(raise_exception=True)
+
+        # Validate URLs for security if metadata is being updated
+        if AdapterKeys.ADAPTER_METADATA_B in serializer.validated_data:
+            adapter_id = (
+                serializer.validated_data.get(AdapterKeys.ADAPTER_ID)
+                or adapter.adapter_id
+            )
+            adapter_metadata_b = serializer.validated_data.get(
+                AdapterKeys.ADAPTER_METADATA_B
+            )
+
+        if not adapter_id or adapter_metadata_b:
+            raise ValidationError("Missing adapter metadata for validation.")
+
+        # Decrypt metadata to get configuration
+        try:
+            fernet = Fernet(settings.ENCRYPTION_KEY.encode("utf-8"))
+            decrypted_json = fernet.decrypt(adapter_metadata_b)
+            decrypted_metadata = json.loads(decrypted_json.decode("utf-8"))
+        except Exception as e:  # InvalidToken/JSONDecodeError/TypeError/etc.
+            raise ValidationError("Invalid adapter metadata.") from e
+
+        # Validate URLs for this adapter configuration
+        try:
+            _ = AdapterProcessor.validate_adapter_urls(adapter_id, decrypted_metadata)
+        except Exception as e:
+            # Format error message similar to test adapter API
+            adapter_name = decrypted_metadata.get(AdapterKeys.ADAPTER_NAME, "adapter")
+            error_detail = f"Error testing '{adapter_name}'. {e!s}"
+            raise ValidationError(error_detail) from e
+
         if use_platform_unstract_key:
             logger.error("Processing adapter with platform key")
             serializer = self.get_serializer(adapter, data=request.data, partial=True)

backend/sample.env

@@ -200,3 +200,8 @@ RUNNER_POLLING_INTERVAL_SECONDS=2
 # Default: 1800 seconds (30 minutes)
 # Examples: 900 (15 min), 1800 (30 min), 3600 (60 min)
 MIN_SCHEDULE_INTERVAL_SECONDS=1800
+
+# WHitelisted adapter URLs to allow user to connect to locally hosted adapters.
+# Whitelisting 10.68.0.10 to allow frictionless adapter connection to
+# managed Postgres for VectorDB
+ALLOWED_ADAPTER_PRIVATE_ENDPOINTS="127.0.0.1, 10.68.0.10"