k1nq/TREK
1
0
Fork 0
mirror of https://github.com/mauriceboe/TREK.git synced 2026-06-21 06:11:45 +00:00
Code Issues Packages Projects Releases Wiki Activity

docs(ssrf): update Internal-Network-Access wiki to reflect relaxed guard

Browse Source 
Loopback, link-local, and .local/.internal hostnames are now all
overridable with ALLOW_INTERNAL_NETWORK=true (commit 9a08368). Merge
the two-tier "always blocked / conditionally blocked" structure into a
single table, add a warning about cloud metadata exposure.
This commit is contained in:
jubnl
2026-05-03 16:38:59 +02:00
parent 9a0836816a
commit 3a57cec992
1 changed files with 8 additions and 12 deletions
Download Patch File Download Diff File Expand all files Collapse all files
wiki/Internal-Network-Access.md
+8 -12
View File
@@ -6,31 +6,27 @@ TREK makes outbound HTTP requests when you configure integrations such as Immich
All outbound requests go through an SSRF guard (`ssrfGuard.ts`). The guard resolves the hostname to an IP address before allowing the connection and blocks addresses in private ranges.
## Always blocked (no override possible)
## Blocked unless `ALLOW_INTERNAL_NETWORK=true`
These ranges are blocked regardless of any setting:
All of the following are blocked by default and can be permitted by setting `ALLOW_INTERNAL_NETWORK=true`:
| Range | Description |
| Range / Hostname | Description |
|---|---|
| `127.0.0.0/8`, `::1` | Loopback |
| `0.0.0.0/8` | Unspecified |
| `169.254.0.0/16`, `fe80::/10` | Link-local / cloud metadata endpoints |
| `::ffff:127.x.x.x`, `::ffff:169.254.x.x` | IPv4-mapped loopback and link-local |
In addition, hostnames ending in `.local` or `.internal` are always blocked regardless of `ALLOW_INTERNAL_NETWORK`. These suffixes are readily abused for hostname-based bypasses.
The hostname `localhost` is not blocked at the hostname stage, but it resolves to `127.0.0.1` which is caught by the loopback rule above and is therefore always blocked.
## Blocked unless `ALLOW_INTERNAL_NETWORK=true`
| Range | Description |
|---|---|
| `10.0.0.0/8` | RFC-1918 private |
| `172.16.0.0/12` | RFC-1918 private |
| `192.168.0.0/16` | RFC-1918 private |
| `100.64.0.0/10` | CGNAT / Tailscale shared address space |
| `fc00::/7` | IPv6 ULA |
| IPv4-mapped RFC-1918 variants | e.g. `::ffff:10.x`, `::ffff:192.168.x` |
| `*.local`, `*.internal` hostnames | mDNS / internal DNS suffixes |
The hostname `localhost` is not blocked at the hostname stage but resolves to `127.0.0.1`, which falls under the loopback rule above.
> **Warning:** `ALLOW_INTERNAL_NETWORK=true` also permits loopback and link-local addresses, including `169.254.169.254` (cloud instance metadata). Do **not** set this flag on a cloud-hosted TREK instance.
## When to enable