github-mirror/project-nomad
1
0
Fork 0
mirror of https://github.com/Crosstalk-Solutions/project-nomad.git synced 2026-03-28 03:29:25 +01:00
Code Issues Actions Packages Projects Releases Wiki Activity

fix: block IPv4-mapped IPv6 and IPv6 all-zeros in SSRF check

Browse Source 
The assertNotPrivateUrl() function blocked standard loopback and link-local
addresses but could be bypassed using IPv4-mapped IPv6 representations:

  - http://[::ffff:127.0.0.1]:8080/ → loopback bypass
  - http://[::ffff:169.254.169.254]:8080/ → metadata endpoint bypass
  - http://[::]:8080/ → all-interfaces bypass

Node.js normalises these to [::ffff:7f00:1], [::ffff:a9fe:a9fe], and [::]
respectively, none of which matched the existing regex patterns.

Add two patterns to close the gap:
  - /^\[::ffff:/i catches all IPv4-mapped IPv6 addresses
  - /^\[::\]$/ catches the IPv6 all-zeros address

Legitimate RFC1918 LAN URLs (192.168.x, 10.x, 172.16-31.x) remain allowed.
This commit is contained in:
Sebastion 2026-03-24 12:50:51 +00:00
parent efe6af9b24
commit 05893d7ab9
No known key found for this signature in database
1 changed files with 2 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
admin/app/validators/common.ts
View File

@ -22,6 +22,8 @@ export function assertNotPrivateUrl(urlString: string): void {
/^169\.254\.\d+\.\d+$/, // Link-local / cloud metadata
/^\[::1\]$/,
/^\[?fe80:/i, // IPv6 link-local
/^\[::ffff:/i, // IPv4-mapped IPv6 (e.g. [::ffff:7f00:1] = 127.0.0.1)
/^\[::\]$/, // IPv6 all-zeros (equivalent to 0.0.0.0)
]
if (blockedPatterns.some((re) => re.test(hostname))) {