Andreas/LibreChat
1
0
Fork 0
mirror of https://github.com/danny-avila/LibreChat.git synced 2026-03-16 20:56:35 +01:00
Code Issues Projects Releases Packages Wiki Activity Actions 3
LibreChat/packages
History
Danny Avila a0b4949a05
🛡️ fix: Cover full fe80::/10 link-local range in IPv6 check (#12244) 
* 🛡️ fix: Cover full fe80::/10 link-local range in SSRF IPv6 check

The `isPrivateIP` check used `startsWith('fe80')` which only matched
fe80:: but missed fe90::–febf:: (the rest of the RFC 4291 fe80::/10
link-local block). Replace with a proper bitwise hextet check.

* 🛡️ fix: Guard isIPv6LinkLocal against parseInt partial-parse on hostnames

parseInt('fe90.example.com', 16) stops at the dot and returns 0xfe90,
which passes the bitmask check and false-positives legitimate domains.

Add colon-presence guard (IPv6 literals always contain ':') and a hex
regex validation on the first hextet before parseInt.

Also document why fc/fd use startsWith while fe80::/10 needs bitwise.

*  test: Harden IPv6 link-local SSRF tests with false-positive guards

- Assert fe90/fea0/febf hostnames are NOT blocked (regression guard)
- Add feb0::1 and bracket form [fe90::1] to isPrivateIP coverage
- Extend resolveHostnameSSRF tests for fe90::1 and febf::1
2026-03-15 17:07:55 -04:00
..
api 🛡️ fix: Cover full fe80::/10 link-local range in IPv6 check (#12244) 2026-03-15 17:07:55 -04:00
client v0.8.3 (#12161) 2026-03-09 15:19:57 -04:00
data-provider 🐍 refactor: Normalize Non-Standard Browser MIME Type Aliases in inferMimeType (#12240) 2026-03-14 22:43:18 -04:00
data-schemas 🔑 fix: Require OTP Verification for 2FA Re-Enrollment and Backup Code Regeneration (#12223) 2026-03-14 01:51:31 -04:00