github/openclaw
1
0
Fork 0
mirror of https://github.com/openclaw/openclaw.git synced 2026-05-10 11:24:58 +00:00
Code Issues Packages Projects Releases Wiki Activity

fix: block ISATAP SSRF bypass via shared host/ip guard

Browse Source
This commit is contained in:
Peter Steinberger
2026-02-19 09:59:34 +01:00
parent 4cd5fad14b
commit d51929ecb5
9 changed files with 72 additions and 96 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
src/link-understanding/detect.test.ts
View File

@@ -26,6 +26,7 @@ describe("extractLinksFromMessage", () => {
it("blocks localhost and common loopback addresses", () => {
expect(extractLinksFromMessage("http://localhost/secret")).toEqual([]);
expect(extractLinksFromMessage("http://localhost.localdomain/secret")).toEqual([]);
expect(extractLinksFromMessage("http://foo.localhost/secret")).toEqual([]);
expect(extractLinksFromMessage("http://service.local/secret")).toEqual([]);
expect(extractLinksFromMessage("http://service.internal/secret")).toEqual([]);
@@ -53,6 +54,7 @@ describe("extractLinksFromMessage", () => {
it("blocks private and mapped IPv6 addresses", () => {
expect(extractLinksFromMessage("http://[::ffff:127.0.0.1]/secret")).toEqual([]);
expect(extractLinksFromMessage("http://[2001:db8:1234::5efe:127.0.0.1]/secret")).toEqual([]);
expect(extractLinksFromMessage("http://[fe80::1]/secret")).toEqual([]);
expect(extractLinksFromMessage("http://[fc00::1]/secret")).toEqual([]);
});