From 649826e4352ec17a492cef75ce1cc148e2af61ef Mon Sep 17 00:00:00 2001
From: AI-Reviewer-QS <qs-ai-reviewer@quantstamp.com>
Date: Sat, 14 Feb 2026 01:38:40 +0800
Subject: [PATCH] fix(security): block private/loopback/metadata IPs in
 link-understanding URL detection (#15604)

* fix(security): block private/loopback/metadata IPs in link-understanding URL detection

isAllowedUrl() only blocked 127.0.0.1, leaving localhost, ::1, 0.0.0.0,
private RFC1918 ranges, link-local (169.254.x.x including cloud metadata),
and CGNAT (100.64.0.0/10) accessible for SSRF via link-understanding.

Add comprehensive hostname/IP blocking consistent with the SSRF guard
already used by media/fetch.ts.

* fix(security): harden link-understanding SSRF host checks

* fix: note link-understanding SSRF hardening in changelog (#15604) (thanks @AI-Reviewer-QS)

---------

Co-authored-by: Yi LIU <yi@quantstamp.com>
Co-authored-by: Peter Steinberger <steipete@gmail.com>
---
 CHANGELOG.md                          |  1 +
 src/link-understanding/detect.test.ts | 40 +++++++++++++++++++++++++++
 src/link-understanding/detect.ts      | 13 ++++++++-
 3 files changed, 53 insertions(+), 1 deletion(-)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index afe07a0b8..cf5963133 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -22,6 +22,7 @@ Docs: https://docs.openclaw.ai
 - Security/Audit: distinguish external webhooks (`hooks.enabled`) from internal hooks (`hooks.internal.enabled`) in attack-surface summaries to avoid false exposure signals when only internal hooks are enabled. (#13474) Thanks @mcaxtr.
 - Security/Onboarding: clarify multi-user DM isolation remediation with explicit `openclaw config set session.dmScope ...` commands in security audit, doctor security, and channel onboarding guidance. (#13129) Thanks @VintLin.
 - Security/Audit: add misconfiguration checks for sandbox Docker config with sandbox mode off, ineffective `gateway.nodes.denyCommands` entries, global minimal tool-profile overrides by agent profiles, and permissive extension-plugin tool reachability.
+- Security/Link understanding: block loopback/internal host patterns and private/mapped IPv6 addresses in extracted URL handling to close SSRF bypasses in link CLI flows. (#15604) Thanks @AI-Reviewer-QS.
 - Android/Nodes: harden `app.update` by requiring HTTPS and gateway-host URL matching plus SHA-256 verification, stream URL camera downloads to disk with size guards to avoid memory spikes, and stop signing release builds with debug keys. (#13541) Thanks @smartprogrammer93.
 - Auto-reply/Threading: auto-inject implicit reply threading so `replyToMode` works without requiring model-emitted `[[reply_to_current]]`, while preserving `replyToMode: "off"` behavior for implicit Slack replies and keeping block-streaming chunk coalescing stable under `replyToMode: "first"`. (#14976) Thanks @Diaspar4u.
 - Sandbox: pass configured `sandbox.docker.env` variables to sandbox containers at `docker create` time. (#15138) Thanks @stevebot-alive.
diff --git a/src/link-understanding/detect.test.ts b/src/link-understanding/detect.test.ts
index f65280b8b..c7f2ee83a 100644
--- a/src/link-understanding/detect.test.ts
+++ b/src/link-understanding/detect.test.ts
@@ -23,4 +23,44 @@ describe("extractLinksFromMessage", () => {
     const links = extractLinksFromMessage("http://127.0.0.1/test https://ok.test");
     expect(links).toEqual(["https://ok.test"]);
   });
+
+  it("blocks localhost and common loopback addresses", () => {
+    expect(extractLinksFromMessage("http://localhost/secret")).toEqual([]);
+    expect(extractLinksFromMessage("http://foo.localhost/secret")).toEqual([]);
+    expect(extractLinksFromMessage("http://service.local/secret")).toEqual([]);
+    expect(extractLinksFromMessage("http://service.internal/secret")).toEqual([]);
+    expect(extractLinksFromMessage("http://0.0.0.0/secret")).toEqual([]);
+    expect(extractLinksFromMessage("http://[::1]/secret")).toEqual([]);
+  });
+
+  it("blocks private network ranges", () => {
+    expect(extractLinksFromMessage("http://10.0.0.1/internal")).toEqual([]);
+    expect(extractLinksFromMessage("http://172.16.0.1/internal")).toEqual([]);
+    expect(extractLinksFromMessage("http://192.168.1.1/internal")).toEqual([]);
+  });
+
+  it("blocks link-local and cloud metadata addresses", () => {
+    expect(extractLinksFromMessage("http://169.254.169.254/latest/meta-data/")).toEqual([]);
+    expect(extractLinksFromMessage("http://169.254.1.1/test")).toEqual([]);
+    expect(extractLinksFromMessage("http://metadata.google.internal/computeMetadata/v1/")).toEqual(
+      [],
+    );
+  });
+
+  it("blocks CGNAT range used by Tailscale", () => {
+    expect(extractLinksFromMessage("http://100.100.50.1/test")).toEqual([]);
+  });
+
+  it("blocks private and mapped IPv6 addresses", () => {
+    expect(extractLinksFromMessage("http://[::ffff:127.0.0.1]/secret")).toEqual([]);
+    expect(extractLinksFromMessage("http://[fe80::1]/secret")).toEqual([]);
+    expect(extractLinksFromMessage("http://[fc00::1]/secret")).toEqual([]);
+  });
+
+  it("allows legitimate public URLs", () => {
+    expect(extractLinksFromMessage("https://example.com/page")).toEqual([
+      "https://example.com/page",
+    ]);
+    expect(extractLinksFromMessage("https://8.8.8.8/dns")).toEqual(["https://8.8.8.8/dns"]);
+  });
 });
diff --git a/src/link-understanding/detect.ts b/src/link-understanding/detect.ts
index 79899f94b..5c2a74e3f 100644
--- a/src/link-understanding/detect.ts
+++ b/src/link-understanding/detect.ts
@@ -1,3 +1,4 @@
+import { isBlockedHostname, isPrivateIpAddress } from "../infra/net/ssrf.js";
 import { DEFAULT_MAX_LINKS } from "./defaults.js";
 
 // Remove markdown link syntax so only bare URLs are considered.
@@ -21,7 +22,7 @@ function isAllowedUrl(raw: string): boolean {
     if (parsed.protocol !== "http:" && parsed.protocol !== "https:") {
       return false;
     }
-    if (parsed.hostname === "127.0.0.1") {
+    if (isBlockedHost(parsed.hostname)) {
       return false;
     }
     return true;
@@ -30,6 +31,16 @@ function isAllowedUrl(raw: string): boolean {
   }
 }
 
+/** Block loopback, private, link-local, and metadata addresses. */
+function isBlockedHost(hostname: string): boolean {
+  const normalized = hostname.trim().toLowerCase();
+  return (
+    normalized === "localhost.localdomain" ||
+    isBlockedHostname(normalized) ||
+    isPrivateIpAddress(normalized)
+  );
+}
+
 export function extractLinksFromMessage(message: string, opts?: { maxLinks?: number }): string[] {
   const source = message?.trim();
   if (!source) {