mirror of
https://github.com/Significant-Gravitas/AutoGPT.git
synced 2026-02-10 06:45:28 -05:00
f0df4c9174
The current block web requests utility has a logic to avoid the system firing into blocklisted IPs. However, the current logic is still prone to a few security issues: * DNS rebinding attack: due to the lack of guarantee on the used IP not being changed during the IP checking and firing step. * Open redirect: due to the request sensitive request headers are still being propagated throughout the web redirect. ### Changes 🏗️ * Uses IP pinning to request the web. * Strip `Authorization`, `Proxy-Authorization`, `Cookie` upon web redirects. ### Checklist 📋 #### For code changes: - [x] I have clearly listed my changes in the PR description - [x] I have made a test plan - [x] I have tested my changes according to the test plan: - [x] Test the web request block, add more tests with different validation scenarios.