mirror of
https://github.com/danny-avila/LibreChat.git
synced 2026-02-11 20:14:24 +01:00
🎯 fix: Actions Allowed Domains Handling (#11215)
* 🔧 fix: Update domain handling in ActionsInput components for SSRF validation - Refactored domain extraction logic in ActionsInput components to include protocol in the domain metadata for proper SSRF validation. - Ensured that the domain is constructed as `${parsedUrl.protocol}//${parsedUrl.hostname}` to enhance security and prevent potential vulnerabilities. This change improves the handling of user-provided domains and aligns with best practices for security in URL processing. * 🔧 fix: Include missing `actions` field in AppService configuration
This commit is contained in:
parent
e343180740
commit
019c59f10e
4 changed files with 18 additions and 19 deletions
|
|
@ -698,9 +698,9 @@ export function validateActionDomain(
|
|||
if (clientHasProtocol) {
|
||||
normalizedClientDomain = extractDomainFromUrl(clientProvidedDomain);
|
||||
} else {
|
||||
// IP addresses inherit protocol from spec, domains default to https
|
||||
// No protocol specified by client
|
||||
if (isIPAddress) {
|
||||
// IPv6 addresses need brackets in URLs
|
||||
// IPs inherit protocol from spec (for legitimate internal services)
|
||||
const ipVersion = isIP(normalizedClientHostname);
|
||||
const hostname =
|
||||
ipVersion === 6 && !clientHostname.startsWith('[')
|
||||
|
|
@ -708,6 +708,7 @@ export function validateActionDomain(
|
|||
: clientHostname;
|
||||
normalizedClientDomain = `${specUrl.protocol}//${hostname}`;
|
||||
} else {
|
||||
// Domain names default to HTTPS for security (forces explicit protocol)
|
||||
normalizedClientDomain = `https://${clientHostname}`;
|
||||
}
|
||||
}
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue