github/openclaw
1
0
Fork 0
mirror of https://github.com/openclaw/openclaw.git synced 2026-05-10 07:52:44 +00:00
Code Issues Packages Projects Releases Wiki Activity

fix(security): enforce strict IPv4 SSRF literal handling

Browse Source
This commit is contained in:
Peter Steinberger
2026-02-19 15:24:03 +01:00
parent 77c748304b
commit 26c9b37f5b
6 changed files with 121 additions and 74 deletions
Download Patch File Download Diff File Expand all files Collapse all files

11
src/infra/net/ssrf.pinning.test.ts
View File

@@ -133,6 +133,17 @@ describe("ssrf pinning", () => {
expect(lookup).not.toHaveBeenCalled();
});
it("blocks unsupported short-form IPv4 literals before DNS lookup", async () => {
const lookup = vi.fn(async () => [
{ address: "93.184.216.34", family: 4 },
]) as unknown as LookupFn;
await expect(resolvePinnedHostnameWithPolicy("8.8.2056", { lookupFn: lookup })).rejects.toThrow(
SsrFBlockedError,
);
expect(lookup).not.toHaveBeenCalled();
});
it("allows ISATAP embedded private IPv4 when private network is explicitly enabled", async () => {
const lookup = vi.fn(async () => [
{ address: "2001:db8:1234::5efe:127.0.0.1", family: 6 },