k1nq/TREK
1
0
Fork 0
mirror of https://github.com/mauriceboe/TREK.git synced 2026-06-19 13:21:46 +00:00
Code Issues Packages Projects Releases Wiki Activity

fix(ssrf): relax internal network resolution (#947)

Browse Source
This commit is contained in:
jubnl
2026-05-03 16:33:45 +02:00
parent 735f6d527b
commit 9a0836816a
1 changed files with 2 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files
server/src/utils/ssrfGuard.ts
+2 -3
View File
@@ -66,8 +66,7 @@ export async function checkSsrf(rawUrl: string, bypassInternalIpAllowed: boolean
const hostname = url.hostname.toLowerCase(); const hostname = url.hostname.toLowerCase();
// Block internal hostname suffixes (no override — these are too easy to abuse) if (isInternalHostname(hostname) && hostname !== 'localhost' && !ALLOW_INTERNAL_NETWORK) {
if (isInternalHostname(hostname) && hostname !== 'localhost') {
return { allowed: false, isPrivate: false, error: 'Requests to .local/.internal domains are not allowed' }; return { allowed: false, isPrivate: false, error: 'Requests to .local/.internal domains are not allowed' };
} }
@@ -80,7 +79,7 @@ export async function checkSsrf(rawUrl: string, bypassInternalIpAllowed: boolean
return { allowed: false, isPrivate: false, error: 'Could not resolve hostname' }; return { allowed: false, isPrivate: false, error: 'Could not resolve hostname' };
} }
if (isAlwaysBlocked(resolvedIp)) { if (isAlwaysBlocked(resolvedIp) && !ALLOW_INTERNAL_NETWORK) {
return { return {
allowed: false, allowed: false,
isPrivate: true, isPrivate: true,