github-mirror/project-nomad
1
0
Fork 0
mirror of https://github.com/Crosstalk-Solutions/project-nomad.git synced 2026-04-02 23:09:26 +02:00
Code Issues Actions 2 Packages Projects Releases Wiki Activity
85359376a2
project-nomad/admin/app
History
Sebastion 7ebf94158c
fix: block IPv4-mapped IPv6 and IPv6 all-zeros in SSRF check (#520) 
The assertNotPrivateUrl() function blocked standard loopback and link-local
addresses but could be bypassed using IPv4-mapped IPv6 representations:

  - http://[::ffff:127.0.0.1]:8080/ → loopback bypass
  - http://[::ffff:169.254.169.254]:8080/ → metadata endpoint bypass
  - http://[::]:8080/ → all-interfaces bypass

Node.js normalises these to [::ffff:7f00:1], [::ffff:a9fe:a9fe], and [::]
respectively, none of which matched the existing regex patterns.

Add two patterns to close the gap:
  - /^\[::ffff:/i catches all IPv4-mapped IPv6 addresses
  - /^\[::\]$/ catches the IPv6 all-zeros address

Legitimate RFC1918 LAN URLs (192.168.x, 10.x, 172.16-31.x) remain allowed.
2026-04-01 15:01:50 -07:00
..
controllers fix(security): validate key parameter on settings read endpoint#517 2026-04-01 14:56:19 -07:00
exceptions fix(Docs): documentation renderer fixes 2025-12-23 16:00:33 -08:00
jobs feat(AI): enable remote AI chat host 2026-04-01 17:22:30 +00:00
middleware feat: background job overhaul with bullmq 2025-12-06 23:59:01 -08:00
models feat: support for updating services 2026-03-11 14:08:09 -07:00
services feat: support adding labels on dynamic container creation (#620) 2026-04-01 11:12:28 -07:00
utils feat(rag): add EPUB file support for Knowledge Base uploads (#257) 2026-04-01 17:22:30 +00:00
validators fix: block IPv4-mapped IPv6 and IPv6 all-zeros in SSRF check (#520) 2026-04-01 15:01:50 -07:00