singularity/singularity-forge

Fork 0

Commit graph

Author	SHA1	Message	Date
Jeremy McSpadden	ebbcbe363a	security: add SSRF protection to fetch_page tool Block requests to private/internal addresses in the fetch_page tool: - Private IP ranges (10.x, 172.16-31.x, 192.168.x, 127.x, 169.254.x) - Cloud metadata endpoints (metadata.google.internal, instance-data) - localhost - Non-HTTP protocols (file://, ftp://) - IPv6 private ranges (::1, fc00:, fd, fe80:) Add isBlockedUrl() to url-utils.ts with 11 new tests covering all blocked and allowed URL patterns.	2026-03-16 13:35:48 -05:00

Author

SHA1

Message

Date

Jeremy McSpadden

ebbcbe363a

security: add SSRF protection to fetch_page tool

Block requests to private/internal addresses in the fetch_page tool:
- Private IP ranges (10.x, 172.16-31.x, 192.168.x, 127.x, 169.254.x)
- Cloud metadata endpoints (metadata.google.internal, instance-data)
- localhost
- Non-HTTP protocols (file://, ftp://)
- IPv6 private ranges (::1, fc00:, fd, fe80:)

Add isBlockedUrl() to url-utils.ts with 11 new tests covering all
blocked and allowed URL patterns.

2026-03-16 13:35:48 -05:00

1 commit