From f01389df02b1c6bf9cf256ff2e9fda9ccf6ed398 Mon Sep 17 00:00:00 2001
From: satvu <sarahvu@microsoft.com>
Date: Tue, 18 Nov 2025 14:39:44 -0800
Subject: [PATCH 1/3] initial update

---
 NuGet.config                                  |  1 +
 .../Management/AtlasInstanceManager.cs        |  5 ++--
 .../PackageDownloadHandler.cs                 |  4 ++--
 .../SSRF/AntiSSRFConstants.cs                 | 10 ++++++++
 .../AntiSSRFServiceCollectionExtensions.cs    | 23 +++++++++++++++++++
 .../WebHostServiceCollectionExtensions.cs     | 10 ++++----
 .../WebJobs.Script.WebHost.csproj             |  1 +
 .../BundlesServiceCollectionExtensions.cs     |  2 --
 8 files changed, 46 insertions(+), 10 deletions(-)
 create mode 100644 src/WebJobs.Script.WebHost/SSRF/AntiSSRFConstants.cs
 create mode 100644 src/WebJobs.Script.WebHost/SSRF/AntiSSRFServiceCollectionExtensions.cs

diff --git a/NuGet.config b/NuGet.config
index e0fc4ebfa8..1a4f035b4d 100644
--- a/NuGet.config
+++ b/NuGet.config
@@ -9,5 +9,6 @@
     <add key="AzureFunctionsPreRelease" value="https://azfunc.pkgs.visualstudio.com/e6a70c92-4128-439f-8012-382fe78d6396/_packaging/AzureFunctionsPreRelease/nuget/v3/index.json" />
     <add key="AzureFunctionsTempStaging" value="https://azfunc.pkgs.visualstudio.com/e6a70c92-4128-439f-8012-382fe78d6396/_packaging/AzureFunctionsTempStaging/nuget/v3/index.json" />
     <add key="AzureFunctionsInfra" value="https://pkgs.dev.azure.com/azfunc/public/_packaging/infra/nuget/v3/index.json" />
+    <add key="Security Tools" value="https://pkgs.dev.azure.com/securityassurance/_packaging/SecurityTools/nuget/v3/index.json" />
   </packageSources>
 </configuration>
diff --git a/src/WebJobs.Script.WebHost/Management/AtlasInstanceManager.cs b/src/WebJobs.Script.WebHost/Management/AtlasInstanceManager.cs
index a4cf1948dc..a7c7678c46 100644
--- a/src/WebJobs.Script.WebHost/Management/AtlasInstanceManager.cs
+++ b/src/WebJobs.Script.WebHost/Management/AtlasInstanceManager.cs
@@ -1,4 +1,4 @@
-// Copyright (c) .NET Foundation. All rights reserved.
+// Copyright (c) .NET Foundation. All rights reserved.
 // Licensed under the MIT License. See License.txt in the project root for license information.
 
 using System;
@@ -39,7 +39,7 @@ public AtlasInstanceManager(IOptionsFactory<ScriptApplicationHostOptions> option
             IPackageDownloadHandler packageDownloadHandler) : base(httpClientFactory, webHostEnvironment,
             environment, logger, metricsLogger, meshServiceClient)
         {
-            _client = httpClientFactory?.CreateClient() ?? throw new ArgumentNullException(nameof(httpClientFactory));
+            _client = httpClientFactory?.CreateClient(AntiSSRFConstants.AntiSSRFHttpClientName) ?? throw new ArgumentNullException(nameof(httpClientFactory));
             _webHostEnvironment = webHostEnvironment ?? throw new ArgumentNullException(nameof(webHostEnvironment));
             _logger = logger ?? throw new ArgumentNullException(nameof(logger));
             _metricsLogger = metricsLogger;
@@ -182,6 +182,7 @@ protected override async Task<string> DownloadWarmupAsync(RunFromPackageContext
             string error = null;
             HttpResponseMessage response = null;
             long? contentLength = null;
+
             try
             {
                 if (!string.IsNullOrEmpty(blobUri))
diff --git a/src/WebJobs.Script.WebHost/Management/LinuxSpecialization/PackageDownloadHandler.cs b/src/WebJobs.Script.WebHost/Management/LinuxSpecialization/PackageDownloadHandler.cs
index 99b00cd18c..6bccf75a57 100644
--- a/src/WebJobs.Script.WebHost/Management/LinuxSpecialization/PackageDownloadHandler.cs
+++ b/src/WebJobs.Script.WebHost/Management/LinuxSpecialization/PackageDownloadHandler.cs
@@ -1,4 +1,4 @@
-// Copyright (c) .NET Foundation. All rights reserved.
+// Copyright (c) .NET Foundation. All rights reserved.
 // Licensed under the MIT License. See License.txt in the project root for license information.
 
 using System;
@@ -34,7 +34,7 @@ public PackageDownloadHandler(IHttpClientFactory httpClientFactory, IManagedIden
             IBashCommandHandler bashCommandHandler, IEnvironment environment, IFileSystem fileSystem, ILogger<PackageDownloadHandler> logger,
             IMetricsLogger metricsLogger)
         {
-            _httpClient = httpClientFactory?.CreateClient() ?? throw new ArgumentNullException(nameof(httpClientFactory));
+            _httpClient = httpClientFactory?.CreateClient(AntiSSRFConstants.AntiSSRFHttpClientName) ?? throw new ArgumentNullException(nameof(httpClientFactory));
             _managedIdentityTokenProvider = managedIdentityTokenProvider ?? throw new ArgumentNullException(nameof(managedIdentityTokenProvider));
             _bashCommandHandler = bashCommandHandler ?? throw new ArgumentNullException(nameof(bashCommandHandler));
             _environment = environment ?? throw new ArgumentNullException(nameof(environment));
diff --git a/src/WebJobs.Script.WebHost/SSRF/AntiSSRFConstants.cs b/src/WebJobs.Script.WebHost/SSRF/AntiSSRFConstants.cs
new file mode 100644
index 0000000000..267a42caf0
--- /dev/null
+++ b/src/WebJobs.Script.WebHost/SSRF/AntiSSRFConstants.cs
@@ -0,0 +1,10 @@
+// Copyright (c) .NET Foundation. All rights reserved.
+// Licensed under the MIT License. See License.txt in the project root for license information.
+
+namespace Microsoft.Azure.WebJobs.Script.WebHost
+{
+    public static class AntiSSRFConstants
+    {
+        public static readonly string AntiSSRFHttpClientName = "AntiSSRFClient";
+    }
+}
diff --git a/src/WebJobs.Script.WebHost/SSRF/AntiSSRFServiceCollectionExtensions.cs b/src/WebJobs.Script.WebHost/SSRF/AntiSSRFServiceCollectionExtensions.cs
new file mode 100644
index 0000000000..841d36e16f
--- /dev/null
+++ b/src/WebJobs.Script.WebHost/SSRF/AntiSSRFServiceCollectionExtensions.cs
@@ -0,0 +1,23 @@
+// Copyright (c) .NET Foundation. All rights reserved.
+// Licensed under the MIT License. See License.txt in the project root for license information.
+
+using Microsoft.Extensions.DependencyInjection;
+using Microsoft.Internal.AntiSSRF;
+
+namespace Microsoft.Azure.WebJobs.Script.WebHost
+{
+    public static class AntiSSRFServiceCollectionExtensions
+    {
+        public static IServiceCollection AddAntiSSRFHttpClient(this IServiceCollection services)
+        {
+            // create and add SSRF HTTP client
+            var policy = new AntiSSRFPolicy();
+            policy.SetDefaults();
+            var handler = policy.GetHandler();
+            services.AddHttpClient(AntiSSRFConstants.AntiSSRFHttpClientName)
+                .ConfigurePrimaryHttpMessageHandler(() => handler);
+
+            return services;
+        }
+    }
+}
\ No newline at end of file
diff --git a/src/WebJobs.Script.WebHost/WebHostServiceCollectionExtensions.cs b/src/WebJobs.Script.WebHost/WebHostServiceCollectionExtensions.cs
index 4dc8b755bd..df16f97620 100644
--- a/src/WebJobs.Script.WebHost/WebHostServiceCollectionExtensions.cs
+++ b/src/WebJobs.Script.WebHost/WebHostServiceCollectionExtensions.cs
@@ -1,10 +1,6 @@
 // Copyright (c) .NET Foundation. All rights reserved.
 // Licensed under the MIT License. See License.txt in the project root for license information.
 
-using System;
-using System.IO.Abstractions;
-using System.Net.Http;
-using System.Runtime.InteropServices;
 using Microsoft.AspNetCore.Authorization;
 using Microsoft.AspNetCore.Builder;
 using Microsoft.Azure.Functions.Platform.Metrics.LinuxConsumption;
@@ -41,6 +37,11 @@
 using Microsoft.Extensions.Hosting;
 using Microsoft.Extensions.Logging;
 using Microsoft.Extensions.Options;
+using Microsoft.Internal.AntiSSRF;
+using System;
+using System.IO.Abstractions;
+using System.Net.Http;
+using System.Runtime.InteropServices;
 
 namespace Microsoft.Azure.WebJobs.Script.WebHost
 {
@@ -144,6 +145,7 @@ public static void AddWebJobsScriptHost(this IServiceCollection services, IConfi
             services.AddSingleton<IFunctionMetadataManager, FunctionMetadataManager>();
             services.AddSingleton<IWebFunctionsManager, WebFunctionsManager>();
             services.AddHttpClient();
+            services.AddAntiSSRFHttpClient();
             services.AddBundlesHttpClient();
 
             services.AddSingleton<StartupContextProvider>();
diff --git a/src/WebJobs.Script.WebHost/WebJobs.Script.WebHost.csproj b/src/WebJobs.Script.WebHost/WebJobs.Script.WebHost.csproj
index dc66aabfd9..e8d10318b9 100644
--- a/src/WebJobs.Script.WebHost/WebJobs.Script.WebHost.csproj
+++ b/src/WebJobs.Script.WebHost/WebJobs.Script.WebHost.csproj
@@ -72,6 +72,7 @@
     <PackageReference Include="Microsoft.Azure.WebSites.DataProtection" Version="2.1.91-alpha" />
     <PackageReference Include="Microsoft.IdentityModel.Tokens" Version="$(IdentityDependencyVersion)" />
     <PackageReference Include="Microsoft.IdentityModel.Protocols.OpenIdConnect" Version="$(IdentityDependencyVersion)" />
+    <PackageReference Include="Microsoft.Internal.AntiSSRF" Version="2.2.1" />
     <PackageReference Include="Microsoft.Security.Utilities" Version="1.3.0" />
     <PackageReference Include="Newtonsoft.Json" Version="13.0.3" />
     <PackageReference Include="StyleCop.Analyzers" Version="1.2.0-beta.556" PrivateAssets="all" />
diff --git a/src/WebJobs.Script/ExtensionBundle/BundlesServiceCollectionExtensions.cs b/src/WebJobs.Script/ExtensionBundle/BundlesServiceCollectionExtensions.cs
index dde845f4bb..37ba6e43a1 100644
--- a/src/WebJobs.Script/ExtensionBundle/BundlesServiceCollectionExtensions.cs
+++ b/src/WebJobs.Script/ExtensionBundle/BundlesServiceCollectionExtensions.cs
@@ -3,8 +3,6 @@
 
 using System;
 using System.Net;
-using System.Net.Http;
-using System.Runtime.InteropServices;
 using Microsoft.Extensions.DependencyInjection;
 using Microsoft.Extensions.Logging;
 using Polly;

From 277f5c16318fa9e4108ac4098ffb3430cd220e65 Mon Sep 17 00:00:00 2001
From: satvu <sarahvu@microsoft.com>
Date: Tue, 18 Nov 2025 14:43:22 -0800
Subject: [PATCH 2/3] cleanup

---
 NuGet.config                                             | 1 -
 .../WebHostServiceCollectionExtensions.cs                | 9 ++++-----
 2 files changed, 4 insertions(+), 6 deletions(-)

diff --git a/NuGet.config b/NuGet.config
index 1a4f035b4d..e0fc4ebfa8 100644
--- a/NuGet.config
+++ b/NuGet.config
@@ -9,6 +9,5 @@
     <add key="AzureFunctionsPreRelease" value="https://azfunc.pkgs.visualstudio.com/e6a70c92-4128-439f-8012-382fe78d6396/_packaging/AzureFunctionsPreRelease/nuget/v3/index.json" />
     <add key="AzureFunctionsTempStaging" value="https://azfunc.pkgs.visualstudio.com/e6a70c92-4128-439f-8012-382fe78d6396/_packaging/AzureFunctionsTempStaging/nuget/v3/index.json" />
     <add key="AzureFunctionsInfra" value="https://pkgs.dev.azure.com/azfunc/public/_packaging/infra/nuget/v3/index.json" />
-    <add key="Security Tools" value="https://pkgs.dev.azure.com/securityassurance/_packaging/SecurityTools/nuget/v3/index.json" />
   </packageSources>
 </configuration>
diff --git a/src/WebJobs.Script.WebHost/WebHostServiceCollectionExtensions.cs b/src/WebJobs.Script.WebHost/WebHostServiceCollectionExtensions.cs
index df16f97620..f0084c1ca5 100644
--- a/src/WebJobs.Script.WebHost/WebHostServiceCollectionExtensions.cs
+++ b/src/WebJobs.Script.WebHost/WebHostServiceCollectionExtensions.cs
@@ -1,6 +1,10 @@
 // Copyright (c) .NET Foundation. All rights reserved.
 // Licensed under the MIT License. See License.txt in the project root for license information.
 
+using System;
+using System.IO.Abstractions;
+using System.Net.Http;
+using System.Runtime.InteropServices;
 using Microsoft.AspNetCore.Authorization;
 using Microsoft.AspNetCore.Builder;
 using Microsoft.Azure.Functions.Platform.Metrics.LinuxConsumption;
@@ -37,11 +41,6 @@
 using Microsoft.Extensions.Hosting;
 using Microsoft.Extensions.Logging;
 using Microsoft.Extensions.Options;
-using Microsoft.Internal.AntiSSRF;
-using System;
-using System.IO.Abstractions;
-using System.Net.Http;
-using System.Runtime.InteropServices;
 
 namespace Microsoft.Azure.WebJobs.Script.WebHost
 {

From 658a6364b2ec915764bd29508880ccf7c1de50d7 Mon Sep 17 00:00:00 2001
From: satvu <sarahvu@microsoft.com>
Date: Tue, 18 Nov 2025 14:55:19 -0800
Subject: [PATCH 3/3] rename

---
 .../{SSRF => AntiSSRF}/AntiSSRFConstants.cs                       | 0
 .../{SSRF => AntiSSRF}/AntiSSRFServiceCollectionExtensions.cs     | 0
 2 files changed, 0 insertions(+), 0 deletions(-)
 rename src/WebJobs.Script.WebHost/{SSRF => AntiSSRF}/AntiSSRFConstants.cs (100%)
 rename src/WebJobs.Script.WebHost/{SSRF => AntiSSRF}/AntiSSRFServiceCollectionExtensions.cs (100%)

diff --git a/src/WebJobs.Script.WebHost/SSRF/AntiSSRFConstants.cs b/src/WebJobs.Script.WebHost/AntiSSRF/AntiSSRFConstants.cs
similarity index 100%
rename from src/WebJobs.Script.WebHost/SSRF/AntiSSRFConstants.cs
rename to src/WebJobs.Script.WebHost/AntiSSRF/AntiSSRFConstants.cs
diff --git a/src/WebJobs.Script.WebHost/SSRF/AntiSSRFServiceCollectionExtensions.cs b/src/WebJobs.Script.WebHost/AntiSSRF/AntiSSRFServiceCollectionExtensions.cs
similarity index 100%
rename from src/WebJobs.Script.WebHost/SSRF/AntiSSRFServiceCollectionExtensions.cs
rename to src/WebJobs.Script.WebHost/AntiSSRF/AntiSSRFServiceCollectionExtensions.cs