github/openclaw
1
0
Fork 0
mirror of https://github.com/openclaw/openclaw.git synced 2026-05-09 01:08:28 +00:00
Code Issues Packages Projects Releases Wiki Activity

fix(security): block full-form IPv4-mapped IPv6 in SSRF guard

Browse Source
This commit is contained in:
Peter Steinberger
2026-02-14 22:56:08 +01:00
parent 2954cdabf9
commit c0c0e0f9ae
3 changed files with 149 additions and 33 deletions
Download Patch File Download Diff File Expand all files Collapse all files

32
src/infra/net/ssrf.test.ts Normal file
View File

@@ -0,0 +1,32 @@
import { describe, expect, it } from "vitest";
import { isPrivateIpAddress } from "./ssrf.js";
describe("ssrf ip classification", () => {
it("treats IPv4-mapped and IPv4-compatible IPv6 loopback as private", () => {
expect(isPrivateIpAddress("::ffff:127.0.0.1")).toBe(true);
expect(isPrivateIpAddress("0:0:0:0:0:ffff:7f00:1")).toBe(true);
expect(isPrivateIpAddress("0000:0000:0000:0000:0000:ffff:7f00:0001")).toBe(true);
expect(isPrivateIpAddress("::127.0.0.1")).toBe(true);
expect(isPrivateIpAddress("0:0:0:0:0:0:7f00:1")).toBe(true);
expect(isPrivateIpAddress("[0:0:0:0:0:ffff:7f00:1]")).toBe(true);
});
it("treats IPv4-mapped metadata/link-local as private", () => {
expect(isPrivateIpAddress("::ffff:169.254.169.254")).toBe(true);
expect(isPrivateIpAddress("0:0:0:0:0:ffff:a9fe:a9fe")).toBe(true);
});
it("treats common IPv6 private/internal ranges as private", () => {
expect(isPrivateIpAddress("::")).toBe(true);
expect(isPrivateIpAddress("::1")).toBe(true);
expect(isPrivateIpAddress("fe80::1%lo0")).toBe(true);
expect(isPrivateIpAddress("fd00::1")).toBe(true);
expect(isPrivateIpAddress("fec0::1")).toBe(true);
});
it("does not classify public IPs as private", () => {
expect(isPrivateIpAddress("93.184.216.34")).toBe(false);
expect(isPrivateIpAddress("2606:4700:4700::1111")).toBe(false);
expect(isPrivateIpAddress("2001:db8::1")).toBe(false);
});
});