Moltbot

Files

AI-Reviewer-QS 649826e435 fix(security): block private/loopback/metadata IPs in link-understanding URL detection (#15604 )

* fix(security): block private/loopback/metadata IPs in link-understanding URL detection

isAllowedUrl() only blocked 127.0.0.1, leaving localhost, ::1, 0.0.0.0,
private RFC1918 ranges, link-local (169.254.x.x including cloud metadata),
and CGNAT (100.64.0.0/10) accessible for SSRF via link-understanding.

Add comprehensive hostname/IP blocking consistent with the SSRF guard
already used by media/fetch.ts.

* fix(security): harden link-understanding SSRF host checks

* fix: note link-understanding SSRF hardening in changelog (#15604) (thanks @AI-Reviewer-QS)

---------

Co-authored-by: Yi LIU <yi@quantstamp.com>
Co-authored-by: Peter Steinberger <steipete@gmail.com>

2026-02-13 18:38:40 +01:00

apply.ts

chore: Enable "experimentalSortImports" in Oxfmt and reformat all imorts.

2026-02-01 10:03:47 +09:00

defaults.ts

Add link understanding tool support (#1637 )

2026-01-25 00:15:54 +00:00

detect.test.ts

fix(security): block private/loopback/metadata IPs in link-understanding URL detection (#15604 )

2026-02-13 18:38:40 +01:00

detect.ts

fix(security): block private/loopback/metadata IPs in link-understanding URL detection (#15604 )