github/openclaw
1
0
Fork 0
mirror of https://github.com/openclaw/openclaw.git synced 2026-04-19 07:47:28 +00:00
Code Issues Packages Projects Releases Wiki Activity

fix: block IPv6 multicast SSRF bypass

Browse Source
This commit is contained in:
Peter Steinberger
2026-02-26 03:34:47 +01:00
parent 260bec5985
commit baf656bc6f
4 changed files with 8 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

1
CHANGELOG.md
View File

@@ -17,6 +17,7 @@ Docs: https://docs.openclaw.ai
### Fixes ### Fixes
- Agents/Subagents delivery: refactor subagent completion announce dispatch into an explicit queue/direct/fallback state machine, recover outbound channel-plugin resolution in cold/stale plugin-registry states across announce/message/gateway send paths, finalize cleanup bookkeeping when announce flow rejects, and treat Telegram sends without `message_id` as delivery failures (instead of false-success `"unknown"` IDs). (#26867, #25961, #26803, #25069, #26741) Thanks @SmithLabsLLC and @docaohieu2808. - Agents/Subagents delivery: refactor subagent completion announce dispatch into an explicit queue/direct/fallback state machine, recover outbound channel-plugin resolution in cold/stale plugin-registry states across announce/message/gateway send paths, finalize cleanup bookkeeping when announce flow rejects, and treat Telegram sends without `message_id` as delivery failures (instead of false-success `"unknown"` IDs). (#26867, #25961, #26803, #25069, #26741) Thanks @SmithLabsLLC and @docaohieu2808.
- Security/SSRF guard: classify IPv6 multicast literals (`ff00::/8`) as blocked/private-internal targets in shared SSRF IP checks, preventing multicast literals from bypassing URL-host preflight and DNS answer validation. This ships in the next npm release (`2026.2.25`). Thanks @zpbrent for reporting.
- Slack/Session threads: prevent oversized parent-session inheritance from silently bricking new thread sessions, surface embedded context-overflow empty-result failures to users, and add configurable `session.parentForkMaxTokens` (default `100000`, `0` disables). (#26912) Thanks @markshields-tl. - Slack/Session threads: prevent oversized parent-session inheritance from silently bricking new thread sessions, surface embedded context-overflow empty-result failures to users, and add configurable `session.parentForkMaxTokens` (default `100000`, `0` disables). (#26912) Thanks @markshields-tl.
- Models/Auth probes: map permanent auth failover reasons (`auth_permanent`, for example revoked keys) into probe auth status instead of `unknown`, so `openclaw models status --probe` reports actionable auth failures. (#25754) thanks @rrenamed. - Models/Auth probes: map permanent auth failover reasons (`auth_permanent`, for example revoked keys) into probe auth status instead of `unknown`, so `openclaw models status --probe` reports actionable auth failures. (#25754) thanks @rrenamed.
- Security/Signal: enforce DM/group authorization before reaction-only notification enqueue so unauthorized senders can no longer inject Signal reaction system events under `dmPolicy`/`groupPolicy`; reaction notifications now require channel access checks first. This ships in the next npm release (`2026.2.25`). Thanks @tdjackey for reporting. - Security/Signal: enforce DM/group authorization before reaction-only notification enqueue so unauthorized senders can no longer inject Signal reaction system events under `dmPolicy`/`groupPolicy`; reaction notifications now require channel access checks first. This ships in the next npm release (`2026.2.25`). Thanks @tdjackey for reporting.

3
src/infra/net/ssrf.test.ts
View File

@@ -38,6 +38,9 @@ const privateIpCases = [
"fe80::1%lo0", "fe80::1%lo0",
"fd00::1", "fd00::1",
"fec0::1", "fec0::1",
"ff02::1",
"ff05::1:3",
"[ff02::1]",
"2001:db8:1234::5efe:127.0.0.1", "2001:db8:1234::5efe:127.0.0.1",
"2001:db8:1234:1:200:5efe:7f00:1", "2001:db8:1234:1:200:5efe:7f00:1",
]; ];

4
src/shared/net/ip.test.ts
View File

@@ -45,8 +45,10 @@ describe("shared ip helpers", () => {
} }
}); });
it("treats deprecated site-local IPv6 as private/internal", () => { it("treats blocked IPv6 classes as private/internal", () => {
expect(isPrivateOrLoopbackIpAddress("fec0::1")).toBe(true); expect(isPrivateOrLoopbackIpAddress("fec0::1")).toBe(true);
expect(isPrivateOrLoopbackIpAddress("ff02::1")).toBe(true);
expect(isPrivateOrLoopbackIpAddress("[ff05::1:3]")).toBe(true);
expect(isPrivateOrLoopbackIpAddress("2001:4860:4860::8888")).toBe(false); expect(isPrivateOrLoopbackIpAddress("2001:4860:4860::8888")).toBe(false);
}); });
}); });

1
src/shared/net/ip.ts
View File

@@ -27,6 +27,7 @@ const PRIVATE_OR_LOOPBACK_IPV6_RANGES = new Set<Ipv6Range>([
"loopback", "loopback",
"linkLocal", "linkLocal",
"uniqueLocal", "uniqueLocal",
"multicast",
]); ]);
const RFC2544_BENCHMARK_PREFIX: [ipaddr.IPv4, number] = [ipaddr.IPv4.parse("198.18.0.0"), 15]; const RFC2544_BENCHMARK_PREFIX: [ipaddr.IPv4, number] = [ipaddr.IPv4.parse("198.18.0.0"), 15];
export type Ipv4SpecialUseBlockOptions = { export type Ipv4SpecialUseBlockOptions = {