farcasclaudiu/openclaw
1
0
Fork 0
mirror of https://github.com/farcasclaudiu/openclaw.git synced 2026-06-29 05:02:04 +03:00
Code Issues Packages Projects Releases Wiki Activity

fix(security): block private/loopback/metadata IPs in link-understanding URL detection (#15604)

Browse Source 
* fix(security): block private/loopback/metadata IPs in link-understanding URL detection

isAllowedUrl() only blocked 127.0.0.1, leaving localhost, ::1, 0.0.0.0,
private RFC1918 ranges, link-local (169.254.x.x including cloud metadata),
and CGNAT (100.64.0.0/10) accessible for SSRF via link-understanding.

Add comprehensive hostname/IP blocking consistent with the SSRF guard
already used by media/fetch.ts.

* fix(security): harden link-understanding SSRF host checks

* fix: note link-understanding SSRF hardening in changelog (#15604) (thanks @AI-Reviewer-QS)

---------

Co-authored-by: Yi LIU <yi@quantstamp.com>
Co-authored-by: Peter Steinberger <steipete@gmail.com>
This commit is contained in:
AI-Reviewer-QS
2026-02-14 01:38:40 +08:00
committed by GitHub
parent fdfc34fa1f
commit 649826e435
3 changed files with 53 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files
CHANGELOG.md
+1
View File
@@ -22,6 +22,7 @@ Docs: https://docs.openclaw.ai
- Security/Audit: distinguish external webhooks (`hooks.enabled`) from internal hooks (`hooks.internal.enabled`) in attack-surface summaries to avoid false exposure signals when only internal hooks are enabled. (#13474) Thanks @mcaxtr.
- Security/Onboarding: clarify multi-user DM isolation remediation with explicit `openclaw config set session.dmScope ...` commands in security audit, doctor security, and channel onboarding guidance. (#13129) Thanks @VintLin.
- Security/Audit: add misconfiguration checks for sandbox Docker config with sandbox mode off, ineffective `gateway.nodes.denyCommands` entries, global minimal tool-profile overrides by agent profiles, and permissive extension-plugin tool reachability.
- Security/Link understanding: block loopback/internal host patterns and private/mapped IPv6 addresses in extracted URL handling to close SSRF bypasses in link CLI flows. (#15604) Thanks @AI-Reviewer-QS.
- Android/Nodes: harden `app.update` by requiring HTTPS and gateway-host URL matching plus SHA-256 verification, stream URL camera downloads to disk with size guards to avoid memory spikes, and stop signing release builds with debug keys. (#13541) Thanks @smartprogrammer93.
- Auto-reply/Threading: auto-inject implicit reply threading so `replyToMode` works without requiring model-emitted `[[reply_to_current]]`, while preserving `replyToMode: "off"` behavior for implicit Slack replies and keeping block-streaming chunk coalescing stable under `replyToMode: "first"`. (#14976) Thanks @Diaspar4u.
- Sandbox: pass configured `sandbox.docker.env` variables to sandbox containers at `docker create` time. (#15138) Thanks @stevebot-alive.