Andreas/LibreChat
1
0
Fork 0
mirror of https://github.com/danny-avila/LibreChat.git synced 2026-03-31 12:57:20 +02:00
Code Issues Projects Releases Packages Wiki Activity Actions 1
LibreChat/packages/api/src/web
History
Danny Avila 1312cd757c
🛡️ fix: Validate User-provided URLs for Web Search (#12247) 
* 🛡️ fix: SSRF-validate user-provided URLs in web search auth

User-controlled URL fields (jinaApiUrl, firecrawlApiUrl, searxngInstanceUrl)
flow from plugin auth into outbound HTTP requests without validation.
Reuse existing isSSRFTarget/resolveHostnameSSRF to block private/internal
targets while preserving admin-configured (env var) internal URLs.

* 🛡️ fix: Harden web search SSRF validation

- Reject non-HTTP(S) schemes (file://, ftp://, etc.) in isSSRFUrl
- Conditional write: only assign to authResult after SSRF check passes
- Move isUserProvided tracking after SSRF gate to avoid false positives
- Add authenticated assertions for optional-field SSRF blocks in tests
- Add file:// scheme rejection test
- Wrap process.env mutation in try/finally guard
- Add JSDoc + sync-obligation comment on WEB_SEARCH_URL_KEYS

* 🛡️ fix: Correct auth-type reporting for SSRF-stripped optional URLs

SSRF-stripped optional URL fields no longer pollute isUserProvided.
Track whether the field actually contributed to authResult before
crediting it as user-provided, so categories report SYSTEM_DEFINED
when all surviving values match env vars.
2026-03-15 18:05:08 -04:00
..
index.ts 🔥 feat: Add Firecrawl Scraper Configurability (#8495) 2025-07-18 22:37:57 -04:00
web.spec.ts 🛡️ fix: Validate User-provided URLs for Web Search (#12247) 2026-03-15 18:05:08 -04:00
web.ts 🛡️ fix: Validate User-provided URLs for Web Search (#12247) 2026-03-15 18:05:08 -04:00