From bf2eea18c3e4c14eb995595552ef4ebc4196dcfe Mon Sep 17 00:00:00 2001
From: jubnl <jgunther021@gmail.com>
Date: Fri, 3 Apr 2026 14:45:12 +0200
Subject: [PATCH] Fix: add bypass for ssrf check to force dissallow internal ip

---
 server/src/services/collabService.ts | 2 +-
 server/src/utils/ssrfGuard.ts        | 4 ++--
 2 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/server/src/services/collabService.ts b/server/src/services/collabService.ts
index e592f67..52e6b52 100644
--- a/server/src/services/collabService.ts
+++ b/server/src/services/collabService.ts
@@ -394,7 +394,7 @@ export async function fetchLinkPreview(url: string): Promise<LinkPreviewResult>
   const fallback: LinkPreviewResult = { title: null, description: null, image: null, url };
 
   const parsed = new URL(url);
-  const ssrf = await checkSsrf(url);
+  const ssrf = await checkSsrf(url, true);
   if (!ssrf.allowed) {
     return { ...fallback, error: ssrf.error } as LinkPreviewResult & { error?: string };
   }
diff --git a/server/src/utils/ssrfGuard.ts b/server/src/utils/ssrfGuard.ts
index 914f8a5..6927a1d 100644
--- a/server/src/utils/ssrfGuard.ts
+++ b/server/src/utils/ssrfGuard.ts
@@ -53,7 +53,7 @@ function isInternalHostname(hostname: string): boolean {
   return h.endsWith('.local') || h.endsWith('.internal') || h === 'localhost';
 }
 
-export async function checkSsrf(rawUrl: string): Promise<SsrfResult> {
+export async function checkSsrf(rawUrl: string, bypassInternalIpAllowed: boolean = false): Promise<SsrfResult> {
   let url: URL;
   try {
     url = new URL(rawUrl);
@@ -91,7 +91,7 @@ export async function checkSsrf(rawUrl: string): Promise<SsrfResult> {
   }
 
   if (isPrivateNetwork(resolvedIp) || isInternalHostname(hostname)) {
-    if (!ALLOW_INTERNAL_NETWORK) {
+    if (!ALLOW_INTERNAL_NETWORK || bypassInternalIpAllowed) {
       return {
         allowed: false,
         isPrivate: true,