Skip to content

fix(ssrf): respect ALLOWED_PRIVATE_HOSTS in isSsrfSafe and assertSsrfSafeResolved#187

Merged
therealbrad merged 1 commit intomainfrom
fix/ssrf-allowlist-private-hosts
Apr 11, 2026
Merged

fix(ssrf): respect ALLOWED_PRIVATE_HOSTS in isSsrfSafe and assertSsrfSafeResolved#187
therealbrad merged 1 commit intomainfrom
fix/ssrf-allowlist-private-hosts

Conversation

@therealbrad
Copy link
Copy Markdown
Contributor

@therealbrad therealbrad commented Apr 11, 2026

Summary

  • isSsrfSafe() and assertSsrfSafeResolved() in utils/ssrf.ts were blocking private/internal hosts without checking the ALLOWED_PRIVATE_HOSTS env var
  • Self-hosted integrations (Gitea, GitLab, etc.) on private networks failed even when the hostname/IP was in the allowlist
  • Both functions now import and check getAllowedPrivateHosts() before rejecting

Test plan

  • Existing 81 SSRF tests pass
  • New tests verify allowlist is respected for both functions
  • Manual: set ALLOWED_PRIVATE_HOSTS=<internal-host> and confirm Gitea connection succeeds

🤖 Generated with Claude Code

@therealbrad @claude
fix(ssrf): respect ALLOWED_PRIVATE_HOSTS in isSsrfSafe and assertSsrf…
71f5946 
…SafeResolved

Both functions in utils/ssrf.ts blocked private/internal hosts without
checking the operator allowlist, causing self-hosted Gitea (and similar)
connections to fail even with ALLOWED_PRIVATE_HOSTS configured.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
@therealbrad therealbrad merged commit 167d113 into main Apr 11, 2026
5 checks passed
@therealbrad therealbrad deleted the fix/ssrf-allowlist-private-hosts branch April 11, 2026 14:50
@therealbrad
Copy link
Copy Markdown
Contributor Author

therealbrad commented Apr 11, 2026

🎉 This PR is included in version 0.21.6 🎉

The release is available on GitHub release

Your semantic-release bot 📦🚀

therealbrad pushed a commit that referenced this pull request Apr 12, 2026
@github-actions
chore(release): 0.21.6 [skip ci]
a28f3ba 
## [0.21.6](v0.21.5...v0.21.6) (2026-04-11)

### Bug Fixes

* **ssrf:** respect ALLOWED_PRIVATE_HOSTS in isSsrfSafe and assertSsrfSafeResolved ([#187](#187)) ([167d113](167d113))
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

released

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@therealbrad