github/openclaw
1
0
Fork 0
mirror of https://github.com/openclaw/openclaw.git synced 2026-05-08 05:01:23 +00:00
Code Issues Packages Projects Releases Wiki Activity

fix(security): block SSRF IPv6 transition bypasses

Browse Source
This commit is contained in:
Peter Steinberger
2026-02-18 04:52:44 +01:00
parent 50e5553533
commit 442fdbf3d8
3 changed files with 73 additions and 8 deletions
Download Patch File Download Diff File Expand all files Collapse all files

57
src/infra/net/ssrf.ts
View File

@@ -146,15 +146,55 @@ function extractIpv4FromEmbeddedIpv6(hextets: number[]): number[] | null {
// IPv4-mapped: ::ffff:a.b.c.d (and full-form variants)
// IPv4-compatible: ::a.b.c.d (deprecated, but still needs private-network blocking)
const zeroPrefix = hextets[0] === 0 && hextets[1] === 0 && hextets[2] === 0 && hextets[3] === 0;
if (!zeroPrefix || hextets[4] !== 0) {
return null;
if (zeroPrefix && hextets[4] === 0 && (hextets[5] === 0xffff || hextets[5] === 0)) {
const high = hextets[6];
const low = hextets[7];
return [(high >>> 8) & 0xff, high & 0xff, (low >>> 8) & 0xff, low & 0xff];
}
if (hextets[5] !== 0xffff && hextets[5] !== 0) {
return null;
// NAT64 well-known prefix: 64:ff9b::/96
if (
hextets[0] === 0x0064 &&
hextets[1] === 0xff9b &&
hextets[2] === 0 &&
hextets[3] === 0 &&
hextets[4] === 0 &&
hextets[5] === 0
) {
const high = hextets[6];
const low = hextets[7];
return [(high >>> 8) & 0xff, high & 0xff, (low >>> 8) & 0xff, low & 0xff];
}
const high = hextets[6];
const low = hextets[7];
return [(high >>> 8) & 0xff, high & 0xff, (low >>> 8) & 0xff, low & 0xff];
// NAT64 local-use prefix: 64:ff9b:1::/48 (common ::x.x.x.x form)
if (
hextets[0] === 0x0064 &&
hextets[1] === 0xff9b &&
hextets[2] === 0x0001 &&
hextets[3] === 0 &&
hextets[4] === 0 &&
hextets[5] === 0
) {
const high = hextets[6];
const low = hextets[7];
return [(high >>> 8) & 0xff, high & 0xff, (low >>> 8) & 0xff, low & 0xff];
}
// 6to4 prefix: 2002::/16 where hextets[1..2] carry the IPv4 address.
if (hextets[0] === 0x2002) {
const high = hextets[1];
const low = hextets[2];
return [(high >>> 8) & 0xff, high & 0xff, (low >>> 8) & 0xff, low & 0xff];
}
// Teredo prefix: 2001:0000::/32 where client IPv4 is obfuscated via XOR 0xffff.
if (hextets[0] === 0x2001 && hextets[1] === 0x0000) {
const high = hextets[6] ^ 0xffff;
const low = hextets[7] ^ 0xffff;
return [(high >>> 8) & 0xff, high & 0xff, (low >>> 8) & 0xff, low & 0xff];
}
return null;
}
function isPrivateIpv4(parts: number[]): boolean {
@@ -195,7 +235,8 @@ export function isPrivateIpAddress(address: string): boolean {
if (normalized.includes(":")) {
const hextets = parseIpv6Hextets(normalized);
if (!hextets) {
return false;
// Security-critical parse failures should fail closed.
return true;
}
const isUnspecified =