openclaw

mirror of https://github.com/openclaw/openclaw.git synced 2026-05-08 03:01:25 +00:00

Author	SHA1	Message	Date
Ayaan Zaidi	30fd2bbe19	fix(ssrf): honor global family policy for pinned dispatcher	2026-02-26 14:57:15 +05:30
Peter Steinberger	61b3246a7f	fix(ssrf): unify ipv6 special-use blocking	2026-02-26 03:43:42 +01:00
Peter Steinberger	d18ae2256f	refactor: unify channel plugin resolution, family ordering, and changelog entry tooling	2026-02-24 15:15:22 +00:00
Glucksberg	dd9ba974d0	fix: sort IPv4 addresses before IPv6 in SSRF pinned DNS to fix Telegram media fetch on IPv6-broken hosts On hosts where IPv6 is configured but not routed (common on cloud VMs), Telegram media downloads fail because the pinned DNS lookup may return IPv6 addresses first. Even though autoSelectFamily (Happy Eyeballs) is enabled, the round-robin pinned lookup serves individual IPv6 addresses that fail before IPv4 is attempted. Sort resolved addresses so IPv4 comes first, ensuring both Happy Eyeballs and single-address round-robin try the working address family first. Fixes #23975 Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>	2026-02-24 14:53:01 +00:00
Peter Steinberger	3af9d1f8e9	fix: scope Telegram RFC2544 SSRF exception to policy opt-in (#24982 ) (thanks @stakeswky)	2026-02-24 03:28:00 +00:00
Peter Steinberger	5eb72ab769	fix(security): harden browser SSRF defaults and migrate legacy key	2026-02-24 01:52:01 +00:00
Peter Steinberger	e9ed688c2c	fix(net): enable family fallback for pinned SSRF dispatcher	2026-02-22 17:54:15 +01:00
Peter Steinberger	333fbb8634	refactor(net): consolidate IP checks with ipaddr.js	2026-02-22 17:02:44 +01:00
Peter Steinberger	44dfbd23df	fix(ssrf): centralize host/ip block checks	2026-02-22 15:41:41 +01:00
Peter Steinberger	71bd15bb42	fix(ssrf): block special-use ipv4 ranges	2026-02-21 23:45:49 +01:00
Peter Steinberger	26c9b37f5b	fix(security): enforce strict IPv4 SSRF literal handling	2026-02-19 15:24:47 +01:00
Peter Steinberger	baa335f258	fix(security): harden SSRF IPv4 literal parsing	2026-02-19 15:14:46 +01:00
Peter Steinberger	d05c8eb912	refactor: unify SSRF hostname/ip precheck and add policy regression	2026-02-19 10:25:31 +01:00
Peter Steinberger	d51929ecb5	fix: block ISATAP SSRF bypass via shared host/ip guard	2026-02-19 09:59:47 +01:00
Peter Steinberger	e8154c12e6	refactor(net): table-drive embedded IPv6 decoding and SSRF tests	2026-02-18 04:57:08 +01:00
Peter Steinberger	442fdbf3d8	fix(security): block SSRF IPv6 transition bypasses	2026-02-18 04:53:09 +01:00
Sebastian	f924ab40d8	revert(tools): undo accidental merge of PR #18584	2026-02-16 21:13:48 -05:00
smartprogrammer93	6d2e3685d6	feat(tools): add URL allowlist for web_search and web_fetch Add optional urlAllowlist config at tools.web level that restricts which URLs can be accessed by web tools: - Config types (types.tools.ts): Add urlAllowlist?: string[] to tools.web - Zod schema: Add urlAllowlist field to ToolsWebSchema - Schema help: Add help text for the new config fields - web_search: Filter Brave search results by allowlist (provider=brave) - web_fetch: Block URLs not matching allowlist before fetching - ssrf.ts: Export normalizeHostnameAllowlist and matchesHostnameAllowlist URL matching supports: - Exact domain match (example.com) - Wildcard patterns (*.github.com) When urlAllowlist is not configured, all URLs are allowed (backwards compatible). Tests: Add web-tools.url-allowlist.test.ts with 23 tests covering: - URL allowlist resolution from config - Wildcard pattern matching - web_fetch error response format - Brave search result filtering	2026-02-16 23:50:18 +01:00
Peter Steinberger	4aaafe5322	refactor(net): share hostname normalization	2026-02-16 01:01:22 +00:00
Peter Steinberger	c0c0e0f9ae	fix(security): block full-form IPv4-mapped IPv6 in SSRF guard	2026-02-14 22:58:38 +01:00
Peter Steinberger	99f28031e5	fix: harden OpenResponses URL input fetching	2026-02-13 01:38:49 +01:00
Peter Steinberger	81c68f582d	fix: guard remote media fetches with SSRF checks	2026-02-02 04:07:29 -08:00
cpojer	f06dd8df06	chore: Enable "experimentalSortImports" in Oxfmt and reformat all imorts.	2026-02-01 10:03:47 +09:00
cpojer	5ceff756e1	chore: Enable "curly" rule to avoid single-statement if confusion/errors.	2026-01-31 16:19:20 +09:00
Peter Steinberger	b623557a2e	fix: harden url fetch dns pinning	2026-01-26 16:05:29 +00:00
Peter Steinberger	5bd55037e4	fix: harden web fetch SSRF and redirects Co-authored-by: Eli <fogboots@users.noreply.github.com>	2026-01-21 02:54:14 +00:00

26 Commits