Skip to content

Commit 9516dad

Browse files
committed
fix(security): verify resolved IP is loopback when hostname is localhost in validateUrlWithDNS
1 parent 7c93346 commit 9516dad

File tree

1 file changed

+8
-1
lines changed

1 file changed

+8
-1
lines changed

apps/sim/lib/core/security/input-validation.server.ts

Lines changed: 8 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -81,7 +81,14 @@ export async function validateUrlWithDNS(
8181
try {
8282
const { address } = await dns.lookup(cleanHostname, { verbatim: true })
8383

84-
if (isPrivateOrReservedIP(address) && !isLocalhost) {
84+
const resolvedIsLoopback =
85+
ipaddr.isValid(address) &&
86+
(() => {
87+
const ip = ipaddr.process(address).toString()
88+
return ip === '127.0.0.1' || ip === '::1'
89+
})()
90+
91+
if (isPrivateOrReservedIP(address) && !(isLocalhost && resolvedIsLoopback)) {
8592
logger.warn('URL resolves to blocked IP address', {
8693
paramName,
8794
hostname,

0 commit comments

Comments
 (0)