github/TREK
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Fix: add bypass for ssrf check to force dissallow internal ip

Browse Source
This commit is contained in:
jubnl
2026-04-03 14:45:12 +02:00
parent 816696d0fe
commit bf2eea18c3
2 changed files with 3 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
server/src/services/collabService.ts
View File

@@ -394,7 +394,7 @@ export async function fetchLinkPreview(url: string): Promise<LinkPreviewResult>
const fallback: LinkPreviewResult = { title: null, description: null, image: null, url }; const fallback: LinkPreviewResult = { title: null, description: null, image: null, url };
const parsed = new URL(url); const parsed = new URL(url);
const ssrf = await checkSsrf(url); const ssrf = await checkSsrf(url, true);
if (!ssrf.allowed) { if (!ssrf.allowed) {
return { ...fallback, error: ssrf.error } as LinkPreviewResult & { error?: string }; return { ...fallback, error: ssrf.error } as LinkPreviewResult & { error?: string };
} }

4
server/src/utils/ssrfGuard.ts
View File

@@ -53,7 +53,7 @@ function isInternalHostname(hostname: string): boolean {
return h.endsWith('.local') || h.endsWith('.internal') || h === 'localhost'; return h.endsWith('.local') || h.endsWith('.internal') || h === 'localhost';
} }
export async function checkSsrf(rawUrl: string): Promise<SsrfResult> { export async function checkSsrf(rawUrl: string, bypassInternalIpAllowed: boolean = false): Promise<SsrfResult> {
let url: URL; let url: URL;
try { try {
url = new URL(rawUrl); url = new URL(rawUrl);
@@ -91,7 +91,7 @@ export async function checkSsrf(rawUrl: string): Promise<SsrfResult> {
} }
if (isPrivateNetwork(resolvedIp) || isInternalHostname(hostname)) { if (isPrivateNetwork(resolvedIp) || isInternalHostname(hostname)) {
if (!ALLOW_INTERNAL_NETWORK) { if (!ALLOW_INTERNAL_NETWORK || bypassInternalIpAllowed) {
return { return {
allowed: false, allowed: false,
isPrivate: true, isPrivate: true,