From 442fdbf3d897e61e06d2ab308ed2048ef45fc85c Mon Sep 17 00:00:00 2001 From: Peter Steinberger Date: Wed, 18 Feb 2026 04:52:44 +0100 Subject: [PATCH] fix(security): block SSRF IPv6 transition bypasses --- CHANGELOG.md | 1 + src/infra/net/ssrf.test.ts | 23 +++++++++++++++ src/infra/net/ssrf.ts | 57 ++++++++++++++++++++++++++++++++------ 3 files changed, 73 insertions(+), 8 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index cf4a49359f..191e14a8b4 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -82,6 +82,7 @@ Docs: https://docs.openclaw.ai - BlueBubbles: include sender identifier in untrusted conversation metadata for conversation info payloads. Thanks @tyler6204. - Security/Exec: fix the OC-09 credential-theft path via environment-variable injection. (#18048) Thanks @aether-ai-agent. - Security/Config: confine `$include` resolution to the top-level config directory, harden traversal/symlink checks with cross-platform-safe path containment, and add doctor hints for invalid escaped include paths. (#18652) Thanks @aether-ai-agent. +- Security/Net: block SSRF bypass via NAT64 (`64:ff9b::/96`, `64:ff9b:1::/48`), 6to4 (`2002::/16`), and Teredo (`2001:0000::/32`) IPv6 transition addresses, and fail closed on IPv6 parse errors. Thanks @jackhax. - Providers: improve error messaging for unconfigured local `ollama`/`vllm` providers. (#18183) Thanks @arosstale. - TTS: surface all provider errors instead of only the last error in aggregated failures. (#17964) Thanks @ikari-pl. - CLI/Doctor/Configure: skip gateway auth checks for loopback-only setups. (#18407) Thanks @sggolakiya. diff --git a/src/infra/net/ssrf.test.ts b/src/infra/net/ssrf.test.ts index a093f4155b..f2097eedac 100644 --- a/src/infra/net/ssrf.test.ts +++ b/src/infra/net/ssrf.test.ts @@ -17,6 +17,20 @@ describe("ssrf ip classification", () => { expect(isPrivateIpAddress("0:0:0:0:0:ffff:a9fe:a9fe")).toBe(true); }); + it("treats private IPv4 embedded in NAT64 prefixes as private", () => { + expect(isPrivateIpAddress("64:ff9b::127.0.0.1")).toBe(true); + expect(isPrivateIpAddress("64:ff9b::169.254.169.254")).toBe(true); + expect(isPrivateIpAddress("64:ff9b:1::192.168.1.1")).toBe(true); + expect(isPrivateIpAddress("64:ff9b:1::10.0.0.1")).toBe(true); + }); + + it("treats private IPv4 embedded in 6to4 and Teredo prefixes as private", () => { + expect(isPrivateIpAddress("2002:7f00:0001::")).toBe(true); + expect(isPrivateIpAddress("2002:a9fe:a9fe::")).toBe(true); + expect(isPrivateIpAddress("2001:0000:0:0:0:0:80ff:fefe")).toBe(true); + expect(isPrivateIpAddress("2001:0000:0:0:0:0:3f57:fefe")).toBe(true); + }); + it("treats common IPv6 private/internal ranges as private", () => { expect(isPrivateIpAddress("::")).toBe(true); expect(isPrivateIpAddress("::1")).toBe(true); @@ -29,6 +43,15 @@ describe("ssrf ip classification", () => { expect(isPrivateIpAddress("93.184.216.34")).toBe(false); expect(isPrivateIpAddress("2606:4700:4700::1111")).toBe(false); expect(isPrivateIpAddress("2001:db8::1")).toBe(false); + expect(isPrivateIpAddress("64:ff9b::8.8.8.8")).toBe(false); + expect(isPrivateIpAddress("64:ff9b:1::8.8.8.8")).toBe(false); + expect(isPrivateIpAddress("2002:0808:0808::")).toBe(false); + expect(isPrivateIpAddress("2001:0000:0:0:0:0:f7f7:f7f7")).toBe(false); + }); + + it("fails closed for malformed IPv6 input", () => { + expect(isPrivateIpAddress("::::")).toBe(true); + expect(isPrivateIpAddress("2001:db8::gggg")).toBe(true); }); }); diff --git a/src/infra/net/ssrf.ts b/src/infra/net/ssrf.ts index fce4204f4f..0dfab0af90 100644 --- a/src/infra/net/ssrf.ts +++ b/src/infra/net/ssrf.ts @@ -146,15 +146,55 @@ function extractIpv4FromEmbeddedIpv6(hextets: number[]): number[] | null { // IPv4-mapped: ::ffff:a.b.c.d (and full-form variants) // IPv4-compatible: ::a.b.c.d (deprecated, but still needs private-network blocking) const zeroPrefix = hextets[0] === 0 && hextets[1] === 0 && hextets[2] === 0 && hextets[3] === 0; - if (!zeroPrefix || hextets[4] !== 0) { - return null; + if (zeroPrefix && hextets[4] === 0 && (hextets[5] === 0xffff || hextets[5] === 0)) { + const high = hextets[6]; + const low = hextets[7]; + return [(high >>> 8) & 0xff, high & 0xff, (low >>> 8) & 0xff, low & 0xff]; } - if (hextets[5] !== 0xffff && hextets[5] !== 0) { - return null; + + // NAT64 well-known prefix: 64:ff9b::/96 + if ( + hextets[0] === 0x0064 && + hextets[1] === 0xff9b && + hextets[2] === 0 && + hextets[3] === 0 && + hextets[4] === 0 && + hextets[5] === 0 + ) { + const high = hextets[6]; + const low = hextets[7]; + return [(high >>> 8) & 0xff, high & 0xff, (low >>> 8) & 0xff, low & 0xff]; } - const high = hextets[6]; - const low = hextets[7]; - return [(high >>> 8) & 0xff, high & 0xff, (low >>> 8) & 0xff, low & 0xff]; + + // NAT64 local-use prefix: 64:ff9b:1::/48 (common ::x.x.x.x form) + if ( + hextets[0] === 0x0064 && + hextets[1] === 0xff9b && + hextets[2] === 0x0001 && + hextets[3] === 0 && + hextets[4] === 0 && + hextets[5] === 0 + ) { + const high = hextets[6]; + const low = hextets[7]; + return [(high >>> 8) & 0xff, high & 0xff, (low >>> 8) & 0xff, low & 0xff]; + } + + // 6to4 prefix: 2002::/16 where hextets[1..2] carry the IPv4 address. + if (hextets[0] === 0x2002) { + const high = hextets[1]; + const low = hextets[2]; + return [(high >>> 8) & 0xff, high & 0xff, (low >>> 8) & 0xff, low & 0xff]; + } + + // Teredo prefix: 2001:0000::/32 where client IPv4 is obfuscated via XOR 0xffff. + if (hextets[0] === 0x2001 && hextets[1] === 0x0000) { + const high = hextets[6] ^ 0xffff; + const low = hextets[7] ^ 0xffff; + return [(high >>> 8) & 0xff, high & 0xff, (low >>> 8) & 0xff, low & 0xff]; + } + + return null; } function isPrivateIpv4(parts: number[]): boolean { @@ -195,7 +235,8 @@ export function isPrivateIpAddress(address: string): boolean { if (normalized.includes(":")) { const hextets = parseIpv6Hextets(normalized); if (!hextets) { - return false; + // Security-critical parse failures should fail closed. + return true; } const isUnspecified =