github/openclaw
1
0
Fork 0
mirror of https://github.com/openclaw/openclaw.git synced 2026-05-11 09:41:41 +00:00
Code Issues Packages Projects Releases Wiki Activity

fix(security): harden SSRF IPv4 literal parsing

Browse Source
This commit is contained in:
Peter Steinberger
2026-02-19 15:14:22 +01:00
parent 3561442a9f
commit baa335f258
5 changed files with 106 additions and 4 deletions
Download Patch File Download Diff File Expand all files Collapse all files

11
src/infra/net/ssrf.pinning.test.ts
View File

@@ -122,6 +122,17 @@ describe("ssrf pinning", () => {
expect(lookup).not.toHaveBeenCalled();
});
it("blocks legacy loopback IPv4 literals before DNS lookup", async () => {
const lookup = vi.fn(async () => [
{ address: "93.184.216.34", family: 4 },
]) as unknown as LookupFn;
await expect(
resolvePinnedHostnameWithPolicy("0177.0.0.1", { lookupFn: lookup }),
).rejects.toThrow(SsrFBlockedError);
expect(lookup).not.toHaveBeenCalled();
});
it("allows ISATAP embedded private IPv4 when private network is explicitly enabled", async () => {
const lookup = vi.fn(async () => [
{ address: "2001:db8:1234::5efe:127.0.0.1", family: 6 },