mirror of
https://github.com/openclaw/openclaw.git
synced 2026-05-19 16:25:50 +00:00
44840007d4
* fix(agents): scope provider SSRF trust by origin * fix(provider): preserve explicit private-network deny * docs(provider): document exact-origin SSRF trust * test(provider): cover exact-origin SSRF edges * docs(provider): align local model private-origin guidance * refactor(ssrf): keep policy merging in infra * test(ssrf): cover exact-origin trust through guard * test(ssrf): block sibling private-origin redirects * fix(provider): keep loopback trust origin-scoped * fix(provider): block metadata origin trust * fix(ssrf): keep metadata rebinding blocked * fix(ssrf): block cloud metadata origins * fix(ssrf): block ipv6 metadata origins * fix(ssrf): block embedded metadata origins * test(ssrf): cover embedded link-local metadata * test(provider): cover custom anthropic proxy classification * test(provider): widen transport policy mock * test(plugin-sdk): assert metadata-IP allowedOrigins entries are rejected Plugin authors can construct an SsrFPolicy that lists any well-formed http(s) origin in allowedOrigins. The abuse-resistance lives one layer deeper, in resolvePinnedHostnameWithPolicy's metadata/link-local block. Add an SDK-level smoke test asserting that contract directly: - AWS/Alibaba IMDS IPv4 literals, GCP metadata canonical hostname, IPv6 ULA metadata literal, and non-metadata link-local IPv4 entries build a policy via ssrfPolicyFromHttpBaseUrlAllowedOrigin and are then rejected at resolvePinnedHostnameWithPolicy. - DNS rebinding from a trusted private DNS origin to a metadata IP is rejected even when the request hostname is origin-trusted. This would fail if the SDK helper or resolveSsrFPolicyForUrl ever short-circuited past the metadata block. * chore(docs): regenerate baselines after upstream rebase upstream/main moved between rebases; the merged source state for the PR's `src/config/schema.help.ts` change and the upstream plugin-sdk surface changes both produce different hashes than the committed baselines, so `config:docs:check` and `plugin-sdk:api:check` would fail. Regenerated via `pnpm config:docs:gen` + `pnpm plugin-sdk:api:gen` on Crabbox; both baselines verified with their respective `--check` generators. * test(plugin-sdk): assert SSRF blocked error class * fix(lint): satisfy exact-origin PR lint rules * docs: clarify custom provider origin trust * chore(docs): refresh plugin sdk api baseline --------- Co-authored-by: Peter Steinberger <steipete@gmail.com> |
||
|---|---|---|
| .. | ||
| alibaba.md | ||
| anthropic.md | ||
| arcee.md | ||
| azure-speech.md | ||
| bedrock-mantle.md | ||
| bedrock.md | ||
| cerebras.md | ||
| chutes.md | ||
| claude-max-api-proxy.md | ||
| cloudflare-ai-gateway.md | ||
| comfy.md | ||
| deepgram.md | ||
| deepinfra.md | ||
| deepseek.md | ||
| ds4.md | ||
| elevenlabs.md | ||
| fal.md | ||
| fireworks.md | ||
| github-copilot.md | ||
| glm.md | ||
| google.md | ||
| gradium.md | ||
| groq.md | ||
| huggingface.md | ||
| index.md | ||
| inferrs.md | ||
| inworld.md | ||
| kilocode.md | ||
| litellm.md | ||
| lmstudio.md | ||
| minimax.md | ||
| mistral.md | ||
| models.md | ||
| moonshot.md | ||
| nvidia.md | ||
| ollama.md | ||
| openai.md | ||
| opencode-go.md | ||
| opencode.md | ||
| openrouter.md | ||
| perplexity-provider.md | ||
| qianfan.md | ||
| qwen.md | ||
| runway.md | ||
| senseaudio.md | ||
| sglang.md | ||
| stepfun.md | ||
| synthetic.md | ||
| tencent.md | ||
| together.md | ||
| venice.md | ||
| vercel-ai-gateway.md | ||
| vllm.md | ||
| volcengine.md | ||
| vydra.md | ||
| xai.md | ||
| xiaomi.md | ||
| zai.md | ||