🎯 fix: Actions Allowed Domains Handling (#11215)

* 🔧 fix: Update domain handling in ActionsInput components for SSRF validation - Refactored domain extraction logic in ActionsInput components to include protocol in the domain metadata for proper SSRF validation. - Ensured that the domain is constructed as `${parsedUrl.protocol}//${parsedUrl.hostname}` to enhance security and prevent potential vulnerabilities. This change improves the handling of user-provided domains and aligns with best practices for security in URL processing. * 🔧 fix: Include missing `actions` field in AppService configuration
2026-02-28 05:14:08 +01:00 · 2026-01-05 14:58:26 -05:00 · 2026-01-05 14:58:26 -05:00 · 019c59f10e
commit 019c59f10e
parent e343180740
4 changed files with 18 additions and 19 deletions
--- a/packages/data-provider/src/actions.ts
+++ b/packages/data-provider/src/actions.ts
@ -698,9 +698,9 @@ export function validateActionDomain(
    if (clientHasProtocol) {
      normalizedClientDomain = extractDomainFromUrl(clientProvidedDomain);
    } else {
-      // IP addresses inherit protocol from spec, domains default to https
+      // No protocol specified by client
      if (isIPAddress) {
-        // IPv6 addresses need brackets in URLs
+        // IPs inherit protocol from spec (for legitimate internal services)
        const ipVersion = isIP(normalizedClientHostname);
        const hostname =
          ipVersion === 6 && !clientHostname.startsWith('[')
@ -708,6 +708,7 @@ export function validateActionDomain(
            : clientHostname;
        normalizedClientDomain = `${specUrl.protocol}//${hostname}`;
      } else {
+        // Domain names default to HTTPS for security (forces explicit protocol)
        normalizedClientDomain = `https://${clientHostname}`;
      }
    }
--- a/packages/data-schemas/src/app/service.ts
+++ b/packages/data-schemas/src/app/service.ts
@ -62,6 +62,7 @@ export const AppService = async (params?: {

  const mcpServersConfig = config.mcpServers || null;
  const mcpSettings = config.mcpSettings || null;
+  const actions = config.actions;
  const registration = config.registration ?? configDefaults.registration;
  const interfaceConfig = await loadDefaultInterface({ config, configDefaults });
  const turnstileConfig = loadTurnstileConfig(config, configDefaults);
@ -74,6 +75,7 @@ export const AppService = async (params?: {
    memory,
    speech,
    balance,
+    actions,
    transactions,
    mcpConfig: mcpServersConfig,
    mcpSettings,
@ -103,9 +105,9 @@ export const AppService = async (params?: {

  const loadedEndpoints = loadEndpoints(config, agentsDefaults);

-  const appConfig = {
+  const appConfig: AppConfig = {
    ...defaultConfig,
-    fileConfig: config?.fileConfig,
+    fileConfig: config?.fileConfig as AppConfig['fileConfig'],
    secureImageLinks: config?.secureImageLinks,
    modelSpecs: processModelSpecs(config?.endpoints, config.modelSpecs, interfaceConfig),
    endpoints: loadedEndpoints,