mirror of
https://github.com/NoFxAiOS/nofx.git
synced 2026-07-18 01:44:38 +08:00
fix(security): block SSRF via custom AI model URL
Apply security.ValidateURL() to custom_api_url in PUT /api/models before storing — blocks private IPs, cloud metadata endpoints, and localhost. Replace plain http.Client in mcp/config.go with security.SafeHTTPClient() for defense-in-depth (DialContext blocks private IPs, CheckRedirect validates targets). Add SSRF warning to WithHTTPClient() docs.
This commit is contained in:
@@ -22,7 +22,11 @@ func WithLogger(logger Logger) ClientOption {
|
||||
}
|
||||
}
|
||||
|
||||
// WithHTTPClient sets custom HTTP client
|
||||
// WithHTTPClient sets custom HTTP client.
|
||||
//
|
||||
// WARNING: The default client uses security.SafeHTTPClient() with SSRF protection
|
||||
// (blocks private IPs, cloud metadata, validates redirects). Overriding it bypasses
|
||||
// these protections. Only use in tests or with a client providing equivalent safeguards.
|
||||
//
|
||||
// Usage example:
|
||||
// httpClient := &http.Client{Timeout: 60 * time.Second}
|
||||
|
||||
Reference in New Issue
Block a user