From 5ec8c9241371651bd58f681565256e81ef07dcf3 Mon Sep 17 00:00:00 2001
From: OpenClawd <openclawd@cloonar.com>
Date: Tue, 24 Feb 2026 11:05:43 +0000
Subject: [PATCH] fix: reject URLs longer than 2048 chars (BUG-011 DoS
 prevention)

---
 src/services/ssrf.ts | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/src/services/ssrf.ts b/src/services/ssrf.ts
index 40dee02..aaa4d4f 100644
--- a/src/services/ssrf.ts
+++ b/src/services/ssrf.ts
@@ -24,7 +24,13 @@ const BLOCKED_HOSTS = [
   /^kubernetes/,
 ];
 
+const MAX_URL_LENGTH = 2048;
+
 export async function validateUrl(urlStr: string): Promise<{ hostname: string; resolvedIp: string }> {
+  if (!urlStr || urlStr.length > MAX_URL_LENGTH) {
+    throw new Error(`Invalid URL: must be between 1 and ${MAX_URL_LENGTH} characters`);
+  }
+
   let parsed: URL;
   try {
     parsed = new URL(urlStr);