Andreas/LibreChat
1
0
Fork 0
mirror of https://github.com/danny-avila/LibreChat.git synced 2025-12-30 15:18:50 +01:00
Code Issues Projects Releases Packages Wiki Activity Actions 3
LibreChat/packages/data-provider
History
Danny Avila 4fd09946d2
🔒 fix: Better SSRF protection for Actions (#11143) 
Addresses Server-Side Request Forgery vulnerability that allowed authenticated
attackers to interact with arbitrary internal/external HTTP services via the
Actions feature, including the internal RAG API, localhost services, and cloud
metadata endpoints.

## Security Changes

### 1. SSRF Target Blocklist (when allowedDomains is empty)
- Block localhost and loopback addresses (127.0.0.0/8, ::1)
- Block private IP ranges (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16)
- Block link-local/cloud metadata IPs (169.254.0.0/16)
- Block common internal Docker/Kubernetes service names (rag_api, redis, mongo, etc.)
- Block .internal and .local TLDs

Admins can still explicitly allow internal targets by adding them to
`actions.allowedDomains` in librechat.yaml.

### 2. Protocol and Port Restrictions
Enhanced `allowedDomains` to support protocol and port constraints:
- `example.com` - any protocol, any port (existing behavior)
- `https://example.com` - HTTPS only, any port
- `https://api.example.com:8443` - HTTPS only, port 8443 only

This allows admins to restrict actions to specific protocols/ports, preventing
attackers from accessing unintended services on allowed domains.

### 3. Redirect-based SSRF Prevention
Disabled automatic redirect following in action HTTP requests (`maxRedirects: 0`).
This prevents attackers from bypassing domain restrictions by:
1. Pointing action to allowed external domain
2. External domain redirects to internal service (e.g., 127.0.0.1)
3. Server follows redirect and accesses internal service

## Files Changed
- packages/api/src/auth/domain.ts: Added isSSRFTarget(), parseDomainSpec(),
  updated isActionDomainAllowed() with protocol/port matching
- packages/api/src/auth/domain.spec.ts: Added tests for SSRF protection,
  protocol restrictions, and port restrictions
- packages/data-provider/src/actions.ts: Added maxRedirects: 0 to axios config

## Configuration Example
# librechat.yaml
actions:
  allowedDomains:
    - "https://api.example.com"        # HTTPS only
    - "https://api.example.com:8443"   # HTTPS + specific port
    - "http://localhost:3000"          # Admin override for local devRef: SBA-ADV-20251205-02
CVSSv3: 9.1 (Critical) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:L
2025-12-29 15:09:55 -05:00
..
react-query 📦 chore: bump axios to v1.12.1 (#9600) 2025-09-12 13:00:12 -04:00
specs 🔐 fix: Secure iconURL Handling (#10753) 2025-12-01 17:41:39 -05:00
src 🔒 fix: Better SSRF protection for Actions (#11143) 2025-12-29 15:09:55 -05:00
.gitignore 🔄 refactor: Consolidate Ask/Edit Controllers (#1365) 2023-12-15 15:47:40 -05:00
babel.config.js chore: add back data-provider 2023-07-30 11:50:24 -04:00
check_updates.sh 🔧 feat: Initial MCP Support (Tools) (#5015) 2024-12-17 13:12:57 -05:00
jest.config.js chore: add back data-provider 2023-07-30 11:50:24 -04:00
package.json 💾 feat: Add Memory Configuration Options for CI unit tests (#10567) 2025-12-25 16:17:17 -05:00
rollup.config.js ⚙️ chore: Update Build Config due to Windows Tests (#9511) 2025-09-08 14:16:49 -04:00
server-rollup.config.js 🚀 feat: Add Code API Proxy Support and Update MCP SDK (#6203) 2025-03-06 12:47:59 -05:00
tsconfig.json feat: OAuth for Actions (#5693) 2025-02-10 15:56:08 -05:00
tsconfig.spec.json feat: Assistants API, General File Support, Side Panel, File Explorer (#1696) 2024-02-13 20:42:27 -05:00