mirror of
https://github.com/Mintplex-Labs/anything-llm.git
synced 2024-11-14 18:40:11 +01:00
add SSRF notice
This commit is contained in:
parent
6bb537da5c
commit
b541623c9e
@ -1,3 +1,16 @@
|
||||
/** ATTN: SECURITY RESEARCHERS
|
||||
* To Security researchers about to submit an SSRF report CVE - please don't.
|
||||
* We are aware that the code below is does not defend against any of the thousands of ways
|
||||
* you can map a hostname to another IP. The code below does not have intention of blocking this
|
||||
* and is simply to prevent the user from accidentally putting in non-valid websites, which is all this protects
|
||||
* since _all urls must be submitted by the user anyway_ and cannot be done with authentication and manager or admin roles.
|
||||
* If an attacker has those roles then the system is already vulnerable and this is not a primary concern.
|
||||
*
|
||||
* We have gotten this report may times, marked them as duplicate or information and continue to get them. We communicate
|
||||
* already that deployment (and security) of an instance is on the deployer and system admin deploying it. This would include
|
||||
* isolation, firewalls, and the general security of the instance.
|
||||
*/
|
||||
|
||||
const VALID_PROTOCOLS = ["https:", "http:"];
|
||||
const INVALID_OCTETS = [192, 172, 10, 127];
|
||||
|
||||
@ -19,7 +32,7 @@ function validURL(url) {
|
||||
if (!VALID_PROTOCOLS.includes(destination.protocol)) return false;
|
||||
if (isInvalidIp(destination)) return false;
|
||||
return true;
|
||||
} catch {}
|
||||
} catch { }
|
||||
return false;
|
||||
}
|
||||
|
||||
|
Loading…
Reference in New Issue
Block a user