Andreas/LibreChat
1
0
Fork 0
mirror of https://github.com/danny-avila/LibreChat.git synced 2025-12-17 08:50:15 +01:00
Code Issues Projects Releases Packages Wiki Activity Actions 7
LibreChat/packages/data-provider/specs
History
Danny Avila 086e9a92dc
🔒 feat: Enhance Actions SSRF Protection with Comprehensive IP and Domain Validation (#10583) 
* 🔒 feat: Enhance SSRF Protection with Comprehensive IP and Domain Validation

* Added extensive tests for validating IP addresses and domains to prevent SSRF attacks, including checks for internal, private, and link-local addresses.
* Improved domain validation logic to handle various edge cases, ensuring only legitimate requests are processed.
* Implemented security measures against common cloud provider metadata access and internal service exploitation.
* Updated existing tests to reflect changes in validation logic and ensure robust security coverage.

* chore: cleanup comments

* 🔒 feat: Improve Domain Validation Logic for Enhanced Security

* Added logic to extract and normalize hostnames from client-provided domains, including handling of URLs and IP addresses.
* Implemented checks using Node.js's net module to validate IP addresses, ensuring robust domain validation.
* Updated existing validation conditions to enhance security against potential SSRF attacks.

* feat: Additional Protocol Checks and IPv6 Support

* Added tests to reject unsupported protocols (FTP, WebSocket, file) in client domains to strengthen SSRF protection.
* Improved domain extraction logic to preserve brackets for IPv6 addresses, ensuring correct URL formatting.
* Updated validation logic to handle various edge cases for client-provided domains, enhancing overall security.

* feat: Expand Domain Validation Tests for Enhanced SSRF Protection

* Added comprehensive tests for handling various URL formats, including IPv6 addresses, authentication credentials, and special characters in paths.
* Implemented additional validation scenarios for client domains, covering edge cases such as malformed URLs, empty strings, and unsupported protocols.
* Enhanced handling of internationalized domain names and localhost variations to ensure robust domain extraction and validation.
2025-11-19 17:42:17 -05:00
..
actions.spec.ts 🔒 feat: Enhance Actions SSRF Protection with Comprehensive IP and Domain Validation (#10583) 2025-11-19 17:42:17 -05:00
azure.spec.ts 🔑 fix: Azure Serverless Support for API Key Header & Version (#4791) 2024-11-25 13:33:06 -05:00
bedrock.spec.ts 🪨 feat: Bedrock Support for Claude-4 Reasoning (#7517) 2025-05-23 00:42:51 -04:00
filetypes.spec.ts 📎 feat: Upload as Text Support for Plaintext, STT, RAG, and Token Limits (#8868) 2025-08-27 03:44:39 -04:00
generate.spec.ts 🪐 feat: Initial OpenAI Responses API Support (#8149) 2025-06-30 18:34:47 -04:00
openapiSpecs.ts 📋 feat: Support Custom Content-Types in Action Descriptors (#9364) 2025-08-29 23:02:40 -04:00
parsers.spec.ts 🗓️ feat: Add Special Variables for Prompts & Agents, Prompt UI Improvements (#7123) 2025-04-29 03:49:02 -04:00
utils.spec.ts 🖼️ refactor: Enhance Env Extraction & Agent Image Handling (#6131) 2025-03-01 07:51:12 -05:00