Skip to content

Commit 7c93346

Browse files
committed
fix(security): derive isLocalhost from hostname not resolved IP in validateUrlWithDNS
1 parent e298899 commit 7c93346

File tree

1 file changed

+15
-14
lines changed

1 file changed

+15
-14
lines changed

apps/sim/lib/core/security/input-validation.server.ts

Lines changed: 15 additions & 14 deletions
Original file line numberDiff line numberDiff line change
@@ -64,21 +64,22 @@ export async function validateUrlWithDNS(
6464
const parsedUrl = new URL(url!)
6565
const hostname = parsedUrl.hostname
6666

67-
try {
68-
const lookupHostname =
69-
hostname.startsWith('[') && hostname.endsWith(']') ? hostname.slice(1, -1) : hostname
70-
const { address } = await dns.lookup(lookupHostname, { verbatim: true })
71-
72-
const hostnameLower = hostname.toLowerCase()
73-
74-
let isLocalhost = hostnameLower === 'localhost'
75-
76-
if (ipaddr.isValid(address)) {
77-
const processedIP = ipaddr.process(address).toString()
78-
if (processedIP === '127.0.0.1' || processedIP === '::1') {
79-
isLocalhost = true
80-
}
67+
const hostnameLower = hostname.toLowerCase()
68+
const cleanHostname =
69+
hostnameLower.startsWith('[') && hostnameLower.endsWith(']')
70+
? hostnameLower.slice(1, -1)
71+
: hostnameLower
72+
73+
let isLocalhost = cleanHostname === 'localhost'
74+
if (ipaddr.isValid(cleanHostname)) {
75+
const processedIP = ipaddr.process(cleanHostname).toString()
76+
if (processedIP === '127.0.0.1' || processedIP === '::1') {
77+
isLocalhost = true
8178
}
79+
}
80+
81+
try {
82+
const { address } = await dns.lookup(cleanHostname, { verbatim: true })
8283

8384
if (isPrivateOrReservedIP(address) && !isLocalhost) {
8485
logger.warn('URL resolves to blocked IP address', {

0 commit comments

Comments
 (0)