github/openclaw
1
0
Fork 0
mirror of https://github.com/openclaw/openclaw.git synced 2026-05-08 22:38:26 +00:00
Code Issues Packages Projects Releases Wiki Activity

refactor: unify SSRF hostname/ip precheck and add policy regression

Browse Source
This commit is contained in:
Peter Steinberger
2026-02-19 10:25:25 +01:00
parent b4792c7362
commit d05c8eb912
2 changed files with 38 additions and 9 deletions
Download Patch File Download Diff File Expand all files Collapse all files

16
src/infra/net/ssrf.ts
View File

@@ -316,6 +316,10 @@ export function isBlockedHostname(hostname: string): boolean {
if (!normalized) {
return false;
}
return isBlockedHostnameNormalized(normalized);
}
function isBlockedHostnameNormalized(normalized: string): boolean {
if (BLOCKED_HOSTNAMES.has(normalized)) {
return true;
}
@@ -331,7 +335,7 @@ export function isBlockedHostnameOrIp(hostname: string): boolean {
if (!normalized) {
return false;
}
return isBlockedHostname(normalized) || isPrivateIpAddress(normalized);
return isBlockedHostnameNormalized(normalized) || isPrivateIpAddress(normalized);
}
export function createPinnedLookup(params: {
@@ -415,14 +419,8 @@ export async function resolvePinnedHostnameWithPolicy(
throw new SsrFBlockedError(`Blocked hostname (not in allowlist): ${hostname}`);
}
if (!allowPrivateNetwork && !isExplicitAllowed) {
if (isBlockedHostname(normalized)) {
throw new SsrFBlockedError(`Blocked hostname: ${hostname}`);
}
if (isPrivateIpAddress(normalized)) {
throw new SsrFBlockedError("Blocked: private/internal IP address");
}
if (!allowPrivateNetwork && !isExplicitAllowed && isBlockedHostnameOrIp(normalized)) {
throw new SsrFBlockedError("Blocked hostname or private/internal IP address");
}
const lookupFn = params.lookupFn ?? dnsLookup;