dka/LibreChat
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
086e9a92dc8445db794a09efe7ffe4300c0fad82
LibreChat/packages
History
Danny Avila 086e9a92dc 🔒 feat: Enhance Actions SSRF Protection with Comprehensive IP and Domain Validation (#10583) 
* 🔒 feat: Enhance SSRF Protection with Comprehensive IP and Domain Validation

* Added extensive tests for validating IP addresses and domains to prevent SSRF attacks, including checks for internal, private, and link-local addresses.
* Improved domain validation logic to handle various edge cases, ensuring only legitimate requests are processed.
* Implemented security measures against common cloud provider metadata access and internal service exploitation.
* Updated existing tests to reflect changes in validation logic and ensure robust security coverage.

* chore: cleanup comments

* 🔒 feat: Improve Domain Validation Logic for Enhanced Security

* Added logic to extract and normalize hostnames from client-provided domains, including handling of URLs and IP addresses.
* Implemented checks using Node.js's net module to validate IP addresses, ensuring robust domain validation.
* Updated existing validation conditions to enhance security against potential SSRF attacks.

* feat: Additional Protocol Checks and IPv6 Support

* Added tests to reject unsupported protocols (FTP, WebSocket, file) in client domains to strengthen SSRF protection.
* Improved domain extraction logic to preserve brackets for IPv6 addresses, ensuring correct URL formatting.
* Updated validation logic to handle various edge cases for client-provided domains, enhancing overall security.

* feat: Expand Domain Validation Tests for Enhanced SSRF Protection

* Added comprehensive tests for handling various URL formats, including IPv6 addresses, authentication credentials, and special characters in paths.
* Implemented additional validation scenarios for client domains, covering edge cases such as malformed URLs, empty strings, and unsupported protocols.
* Enhanced handling of internationalized domain names and localhost variations to ensure robust domain extraction and validation.
2025-11-19 17:42:17 -05:00
..
api
🤖 feat: Gemini 3 Support (#10584)
2025-11-19 15:05:37 -05:00
client
📢 fix: Resolved Screen Reader Issues with TooltipAnchor (#10580)
2025-11-19 17:10:10 -05:00
data-provider
🔒 feat: Enhance Actions SSRF Protection with Comprehensive IP and Domain Validation (#10583)
2025-11-19 17:42:17 -05:00
data-schemas
🤖 refactor: Improve Agent Handoff Context Tracking (#10553)
2025-11-17 16:57:51 -05:00