SSRF protection — no IP range blocking on remote dereference #4

New Issue

Closed

opened 2026-05-29 10:22:27 +00:00 by GKaszewski · 0 comments

GKaszewski commented 2026-05-29 10:22:27 +00:00

Owner

Copy Link

When dereferencing remote object or actor URLs, there is no validation that the resolved IP is not in a private/reserved range (127.0.0.0/8, 10.0.0.0/8, 169.254.0.0/16, fc00::/7, etc.).

A malicious actor could craft an actor URL pointing at internal services, causing the server to make requests to the local network.

Suggested fix: resolve the hostname before connecting and reject private/loopback/link-local IP ranges. Consider a configurable allowlist for legitimate internal federation scenarios.

When dereferencing remote object or actor URLs, there is no validation that the resolved IP is not in a private/reserved range (127.0.0.0/8, 10.0.0.0/8, 169.254.0.0/16, fc00::/7, etc.). A malicious actor could craft an actor URL pointing at internal services, causing the server to make requests to the local network. Suggested fix: resolve the hostname before connecting and reject private/loopback/link-local IP ranges. Consider a configurable allowlist for legitimate internal federation scenarios.

GKaszewski referenced this issue from a commit 2026-05-30 00:48:46 +00:00

feat: SSRF protection — block private IP ranges on outgoing requests

GKaszewski closed this issue 2026-05-30 00:48:46 +00:00

Sign in to join this conversation.

No Branch/Tag Specified

Branches Tags

master

v0.3.1

v0.3.0

v0.1.10

v0.1.9

v0.1.8

v0.1.7

v0.1.6

v0.1.5

v0.1.4

v0.1.3

v0.1.2

v0.1.1

v0.1.0

Labels

No items

No Label

Milestone

No items

No Milestone

Projects

Clear projects

No project

Assignees

Clear assignees

GKaszewski

No Assignees

1 Participants

Notifications

Subscribe

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: GKaszewski/k-ap#4