fix(security): harden tlon Urbit requests against SSRF

2026-04-18 13:07:28 +00:00 · 2026-02-14 18:41:23 +01:00
parent 5a313c83b7
commit bfa7d21e99
18 changed files with 735 additions and 191 deletions
--- a/docs/channels/tlon.md
+++ b/docs/channels/tlon.md
@@ -55,6 +55,22 @@ Minimal config (single account):
 }
 ```

+Private/LAN ship URLs (advanced):
+
+By default, OpenClaw blocks private/internal hostnames and IP ranges for this plugin (SSRF hardening).
+If your ship URL is on a private network (for example `http://192.168.1.50:8080` or `http://localhost:8080`),
+you must explicitly opt in:
+
+```json5
+{
+  channels: {
+    tlon: {
+      allowPrivateNetwork: true,
+    },
+  },
+}
+```
+
 ## Group channels

 Auto-discovery is enabled by default. You can also pin channels manually: