mirror of
https://github.com/moltbot/moltbot.git
synced 2026-03-09 15:35:17 +00:00
649826e435
* fix(security): block private/loopback/metadata IPs in link-understanding URL detection isAllowedUrl() only blocked 127.0.0.1, leaving localhost, ::1, 0.0.0.0, private RFC1918 ranges, link-local (169.254.x.x including cloud metadata), and CGNAT (100.64.0.0/10) accessible for SSRF via link-understanding. Add comprehensive hostname/IP blocking consistent with the SSRF guard already used by media/fetch.ts. * fix(security): harden link-understanding SSRF host checks * fix: note link-understanding SSRF hardening in changelog (#15604) (thanks @AI-Reviewer-QS) --------- Co-authored-by: Yi LIU <yi@quantstamp.com> Co-authored-by: Peter Steinberger <steipete@gmail.com>