Skip to content

fix: block SSRF by rejecting requests to private/internal IPs#528

Open
Yanhu007 wants to merge 1 commit into
floatpane:masterfrom
Yanhu007:fix/ssrf-private-ip-blocking
Open

fix: block SSRF by rejecting requests to private/internal IPs#528
Yanhu007 wants to merge 1 commit into
floatpane:masterfrom
Yanhu007:fix/ssrf-private-ip-blocking

Conversation

@Yanhu007
Copy link
Copy Markdown
Contributor

@Yanhu007 Yanhu007 commented Apr 16, 2026
edited by floatpanebot
Loading

Fixes #505

Problem

The HTTP plugin validates URL scheme but does not block requests to private/internal IP ranges, enabling SSRF attacks.

Fix

Add a custom DialContext that resolves hostnames and rejects connections to loopback, private, link-local, and unspecified IPs before establishing connections.

@Yanhu007
fix: block SSRF by rejecting requests to private/internal IPs
592b46f 
The HTTP plugin validates URL scheme but does not block requests to
private IP ranges. A malicious plugin can probe the local network,
access cloud metadata endpoints (169.254.169.254), or hit internal
services on localhost.

Add a custom DialContext that resolves the target hostname and
rejects connections to loopback, private, link-local, and
unspecified IP addresses before establishing the connection.

Fixes floatpane#505
@Yanhu007 Yanhu007 requested a review from a team as a code owner April 16, 2026 00:12
@github-actions github-actions Bot added the bug Something isn't working label Apr 16, 2026
andrinoff
andrinoff requested changes Apr 16, 2026
View reviewed changes
Copy link
Copy Markdown
Member

@andrinoff andrinoff left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hello, @Yanhu007
Tests fail, please fix.

Ping, or re-request review, after you do.

floatpanebot
floatpanebot requested changes Apr 21, 2026
View reviewed changes
Copy link
Copy Markdown
Member

@floatpanebot floatpanebot left a comment
edited by andrinoff
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hi @Yanhu007! Please fix the following issues with your PR:

  • Title: Is too long (61 characters). The PR title must be strictly under 40 characters.
  • Body: Missing the ## What? or ## Why? headings required by the PR template.

floatpanebot
floatpanebot requested changes May 3, 2026
View reviewed changes
Copy link
Copy Markdown
Member

@floatpanebot floatpanebot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hi @floatpanebot! Please fix the following issues with your PR:

  • Title: Is too long (61 characters). The PR title must be strictly under 40 characters.
  • Body: Missing the ## What? or ## Why? headings required by the PR template.

@floatpanebot floatpanebot added the area/plugin Plugin system label May 3, 2026
@andrinoff andrinoff added size/S Diff: 11–50 lines and removed size/S Diff: 11–50 lines labels May 11, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@andrinoff andrinoff andrinoff requested changes

@floatpanebot floatpanebot floatpanebot requested changes

Requested changes must be addressed to merge this pull request.

Assignees

No one assigned

Labels

area/plugin Plugin system bug Something isn't working size/S Diff: 11–50 lines

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

BUG: Plugin HTTP has no SSRF protection

3 participants

@Yanhu007 @andrinoff @floatpanebot