github/openclaw
1
0
Fork 0
mirror of https://github.com/openclaw/openclaw.git synced 2026-05-10 05:02:44 +00:00
Code Issues Packages Projects Releases Wiki Activity

refactor: unify SSRF hostname/ip precheck and add policy regression

Browse Source
This commit is contained in:
Peter Steinberger
2026-02-19 10:25:25 +01:00
parent b4792c7362
commit d05c8eb912
2 changed files with 38 additions and 9 deletions
Download Patch File Download Diff File Expand all files Collapse all files

31
src/infra/net/ssrf.pinning.test.ts
View File

@@ -4,6 +4,7 @@ import {
type LookupFn,
resolvePinnedHostname,
resolvePinnedHostnameWithPolicy,
SsrFBlockedError,
} from "./ssrf.js";
describe("ssrf pinning", () => {
@@ -107,4 +108,34 @@ describe("ssrf pinning", () => {
}),
).rejects.toThrow(/allowlist/i);
});
it("blocks ISATAP embedded private IPv4 before DNS lookup", async () => {
const lookup = vi.fn(async () => [
{ address: "93.184.216.34", family: 4 },
]) as unknown as LookupFn;
await expect(
resolvePinnedHostnameWithPolicy("2001:db8:1234::5efe:127.0.0.1", {
lookupFn: lookup,
}),
).rejects.toThrow(SsrFBlockedError);
expect(lookup).not.toHaveBeenCalled();
});
it("allows ISATAP embedded private IPv4 when private network is explicitly enabled", async () => {
const lookup = vi.fn(async () => [
{ address: "2001:db8:1234::5efe:127.0.0.1", family: 6 },
]) as unknown as LookupFn;
await expect(
resolvePinnedHostnameWithPolicy("2001:db8:1234::5efe:127.0.0.1", {
lookupFn: lookup,
policy: { allowPrivateNetwork: true },
}),
).resolves.toMatchObject({
hostname: "2001:db8:1234::5efe:127.0.0.1",
addresses: ["2001:db8:1234::5efe:127.0.0.1"],
});
expect(lookup).toHaveBeenCalledTimes(1);
});
});