From 9a0836816a17d3c484297497bfc87cbfbfa6199f Mon Sep 17 00:00:00 2001
From: jubnl <jgunther021@gmail.com>
Date: Sun, 3 May 2026 16:33:45 +0200
Subject: [PATCH] fix(ssrf): relax internal network resolution (#947)

---
 server/src/utils/ssrfGuard.ts | 5 ++---
 1 file changed, 2 insertions(+), 3 deletions(-)

diff --git a/server/src/utils/ssrfGuard.ts b/server/src/utils/ssrfGuard.ts
index 19ed98dc..74dc0cab 100644
--- a/server/src/utils/ssrfGuard.ts
+++ b/server/src/utils/ssrfGuard.ts
@@ -66,8 +66,7 @@ export async function checkSsrf(rawUrl: string, bypassInternalIpAllowed: boolean
 
   const hostname = url.hostname.toLowerCase();
 
-  // Block internal hostname suffixes (no override — these are too easy to abuse)
-  if (isInternalHostname(hostname) && hostname !== 'localhost') {
+  if (isInternalHostname(hostname) && hostname !== 'localhost' && !ALLOW_INTERNAL_NETWORK) {
     return { allowed: false, isPrivate: false, error: 'Requests to .local/.internal domains are not allowed' };
   }
 
@@ -80,7 +79,7 @@ export async function checkSsrf(rawUrl: string, bypassInternalIpAllowed: boolean
     return { allowed: false, isPrivate: false, error: 'Could not resolve hostname' };
   }
 
-  if (isAlwaysBlocked(resolvedIp)) {
+  if (isAlwaysBlocked(resolvedIp) && !ALLOW_INTERNAL_NETWORK) {
     return {
       allowed: false,
       isPrivate: true,