ADR-0018: Ingestion source security and content safety

​

Context

​

Decision

• URL fetch path is restricted to http/https, checks blocked/private host patterns, and validates DNS resolution against private/internal addresses.
• Fetching enforces redirect limits, request timeout limits, and max source byte size limits.
• Storage downloads enforce ownership-constrained path prefixes (reflectionId/sourceId/...) before retrieval.
• Upload URL creation limits MIME types and uses deterministic storage paths tied to reflection/source IDs.

​

Alternatives considered

​

Alternative 1: Trust source URIs and rely on infrastructure network controls only

• Minimal application code.

• Higher SSRF and data-exfiltration risk at app layer.
• Harder to reason about content safety behavior during audits.

​

Alternative 2: Proxy all ingestion through a separate sandbox service

• Strong isolation boundary.

• Significant infrastructure complexity and latency overhead.
• More operational burden than current complexity budget allows.

​

Alternative 3: Allow only uploaded files, no external URL ingestion

• Smaller attack surface.

• Reduced product flexibility for source onboarding.
• Worse user DX for web/document ingestion workflows.

​

Consequences

• Reduced SSRF and oversized payload risk.
• More deterministic failure modes with explicit error codes.
• Better alignment between API upload controls and worker ingestion checks.

• Additional validation logic and maintenance.
• Potential false positives for unusual but valid network sources.

​

Implementation notes

• SSRF/content-size/redirect controls are implemented in the worker ingestion pipeline.
• Runtime safety limits are configured and validated via the shared environment configuration.
• API upload path constraints are enforced in the sources route handler.

​

Related ADRs

• ADR-0010: Ingestion orchestration, idempotency, and recovery
• ADR-0004: Primary data platform: Supabase Postgres
• ADR-0015: Tenant isolation and database RLS boundary