openclawd/SnapAPI
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

fix: reject URLs longer than 2048 chars (BUG-011 DoS prevention)
All checks were successful
Build & Deploy to Staging / Build & Deploy to Staging (push) Successful in 9m12s
Details

Browse source
This commit is contained in:
OpenClawd 2026-02-24 11:05:43 +00:00
parent 44e31e355c
commit 5ec8c92413
1 changed files with 6 additions and 0 deletions
Download patch file Download diff file Expand all files Collapse all files

6
src/services/ssrf.ts
View file

@ -24,7 +24,13 @@ const BLOCKED_HOSTS = [
/^kubernetes/,
];
const MAX_URL_LENGTH = 2048;
export async function validateUrl(urlStr: string): Promise<{ hostname: string; resolvedIp: string }> {
if (!urlStr || urlStr.length > MAX_URL_LENGTH) {
throw new Error(`Invalid URL: must be between 1 and ${MAX_URL_LENGTH} characters`);
}
let parsed: URL;
try {
parsed = new URL(urlStr);