github-mirror/project-nomad
1
0
Fork 0
mirror of https://github.com/Crosstalk-Solutions/project-nomad.git synced 2026-03-28 03:29:25 +01:00
Code Issues Actions Packages Projects Releases Wiki Activity
05893d7ab9
project-nomad/admin/app/validators
History
Sebastion 05893d7ab9
fix: block IPv4-mapped IPv6 and IPv6 all-zeros in SSRF check 
The assertNotPrivateUrl() function blocked standard loopback and link-local
addresses but could be bypassed using IPv4-mapped IPv6 representations:

  - http://[::ffff:127.0.0.1]:8080/ → loopback bypass
  - http://[::ffff:169.254.169.254]:8080/ → metadata endpoint bypass
  - http://[::]:8080/ → all-interfaces bypass

Node.js normalises these to [::ffff:7f00:1], [::ffff:a9fe:a9fe], and [::]
respectively, none of which matched the existing regex patterns.

Add two patterns to close the gap:
  - /^\[::ffff:/i catches all IPv4-mapped IPv6 addresses
  - /^\[::\]$/ catches the IPv6 all-zeros address

Legitimate RFC1918 LAN URLs (192.168.x, 10.x, 172.16-31.x) remain allowed.
2026-03-24 12:50:51 +00:00
..
benchmark.ts feat: Add system benchmark feature with NOMAD Score 2026-01-22 21:48:12 -08:00
chat.ts feat: [wip] native AI chat interface 2026-01-31 20:39:49 -08:00
common.ts fix: block IPv4-mapped IPv6 and IPv6 all-zeros in SSRF check 2026-03-24 12:50:51 +00:00
curated_collections.ts feat: curated content system overhaul 2026-02-11 15:44:46 -08:00
download.ts feat(Open WebUI): manage models via Command Center 2026-01-19 22:15:52 -08:00
ollama.ts feat(AI Assistant): improved state management and performance 2026-03-11 14:08:09 -07:00
rag.ts feat(RAG): allow deletion of files from KB 2026-03-04 20:05:14 -08:00
settings.ts feat(AI Assistant): custom name option for AI Assistant 2026-03-04 20:05:14 -08:00
system.ts feat: support for updating services 2026-03-11 14:08:09 -07:00
zim.ts feat: [wip] custom map and zim downloads 2025-12-02 08:25:09 -08:00