From c5455137f97e4e39cd5af98cebc874d0b7cd08b5 Mon Sep 17 00:00:00 2001
From: Henry Heng <henryheng@flowiseai.com>
Date: Thu, 13 Mar 2025 20:00:32 +0000
Subject: [PATCH] Bugfix/Validate URL for postCore (#4172)

validare url for postCore
---
 .../components/nodes/chains/ApiChain/postCore.ts  | 15 +++++++++++++++
 1 file changed, 15 insertions(+)

diff --git a/packages/components/nodes/chains/ApiChain/postCore.ts b/packages/components/nodes/chains/ApiChain/postCore.ts
index d7ac7cb1..0a40fb09 100644
--- a/packages/components/nodes/chains/ApiChain/postCore.ts
+++ b/packages/components/nodes/chains/ApiChain/postCore.ts
@@ -92,6 +92,21 @@ export class APIChain extends BaseChain implements APIChainInput {
 
             const { url, data } = JSON.parse(api_url_body)
 
+            // Validate request is not to internal/private networks
+            const urlObj = new URL(url)
+            const hostname = urlObj.hostname
+
+            if (
+                hostname === 'localhost' ||
+                hostname === '127.0.0.1' ||
+                hostname.startsWith('192.168.') ||
+                hostname.startsWith('10.') ||
+                hostname.startsWith('172.16.') ||
+                hostname.includes('internal')
+            ) {
+                throw new Error('Access to internal networks is not allowed')
+            }
+
             const res = await fetch(url, {
                 method: 'POST',
                 headers: this.headers,