github-mirror/project-nomad
1
0
Fork 0
mirror of https://github.com/Crosstalk-Solutions/project-nomad.git synced 2026-03-29 21:19:25 +02:00
Code Issues Actions Packages Projects Releases Wiki Activity
05893d7ab9
project-nomad/admin/app
History
Sebastion 05893d7ab9
fix: block IPv4-mapped IPv6 and IPv6 all-zeros in SSRF check 
The assertNotPrivateUrl() function blocked standard loopback and link-local
addresses but could be bypassed using IPv4-mapped IPv6 representations:

  - http://[::ffff:127.0.0.1]:8080/ → loopback bypass
  - http://[::ffff:169.254.169.254]:8080/ → metadata endpoint bypass
  - http://[::]:8080/ → all-interfaces bypass

Node.js normalises these to [::ffff:7f00:1], [::ffff:a9fe:a9fe], and [::]
respectively, none of which matched the existing regex patterns.

Add two patterns to close the gap:
  - /^\[::ffff:/i catches all IPv4-mapped IPv6 addresses
  - /^\[::\]$/ catches the IPv6 all-zeros address

Legitimate RFC1918 LAN URLs (192.168.x, 10.x, 172.16-31.x) remain allowed.
2026-03-24 12:50:51 +00:00
..
controllers fix(downloads): allow users to dismiss failed downloads 2026-03-20 11:46:10 -07:00
exceptions fix(Docs): documentation renderer fixes 2025-12-23 16:00:33 -08:00
jobs fix: prevent embedding retry storm when Ollama is not installed 2026-03-20 11:46:10 -07:00
middleware feat: background job overhaul with bullmq 2025-12-06 23:59:01 -08:00
models feat: support for updating services 2026-03-11 14:08:09 -07:00
services fix(disk): correct storage display by fixing device matching and dedup mount entries 2026-03-20 11:46:10 -07:00
utils fix(disk): correct storage display by fixing device matching and dedup mount entries 2026-03-20 11:46:10 -07:00
validators fix: block IPv4-mapped IPv6 and IPv6 all-zeros in SSRF check 2026-03-24 12:50:51 +00:00