Fix SSRF vulnerability in utils.js

2026-04-19 22:23:44 +02:00 · 2026-01-02 17:49:19 +01:00
parent a7d189d89d
commit 29fd909340
1 changed files with 29 additions and 7 deletions
--- a/backend/utils.js
+++ b/backend/utils.js
@@ -29,6 +29,12 @@ function isValidIp(ip) {
 */
 function isPrivateIp(ip) {
    if (!ip) return false;
+
+    // Normalize IPv6-mapped IPv4 addresses (e.g., ::ffff:192.168.1.1 -> 192.168.1.1)
+    if (ip.startsWith('::ffff:')) {
+        ip = ip.substring(7);
+    }
+
    const ipVersion = net.isIP(ip);

    if (ipVersion === 4) {
@@ -38,12 +44,15 @@ function isPrivateIp(ip) {
            (parts[0] === 172 && parts[1] >= 16 && parts[1] <= 31) || // 172.16.0.0/12
            (parts[0] === 192 && parts[1] === 168) || // 192.168.0.0/16
            parts[0] === 127 || // 127.0.0.0/8 (Loopback)
-            (parts[0] === 169 && parts[1] === 254) // 169.254.0.0/16 (Link-local)
+            (parts[0] === 169 && parts[1] === 254) || // 169.254.0.0/16 (Link-local)
+            // Block 0.0.0.0 (Commonly "Any" or "Current Network")
+            (parts[0] === 0 && parts[1] === 0 && parts[2] === 0 && parts[3] === 0)
        );
    } else if (ipVersion === 6) {
        const lowerCaseIp = ip.toLowerCase();
        return (
            lowerCaseIp === '::1' || // ::1/128 (Loopback)
+            lowerCaseIp === '::' || // ::/128 (Unspecified)
            lowerCaseIp.startsWith('fc') || lowerCaseIp.startsWith('fd') || // fc00::/7 (Unique Local)
            lowerCaseIp.startsWith('fe8') || lowerCaseIp.startsWith('fe9') || // fe80::/10 (Link-local)
            lowerCaseIp.startsWith('fea') || lowerCaseIp.startsWith('feb')
@@ -287,7 +296,20 @@ function checkPort(port, host, timeout = 2000) {
    };
    const service = commonPorts[port] || 'Unknown';

-    return new Promise((resolve) => {
+    return new Promise((resolve, reject) => {
+        // DEFENSE IN DEPTH: Prevent scanning of private IPs at the function level
+        if (!isValidIp(host) || isPrivateIp(host)) {
+            const error = new Error(`Scanning restricted: ${host} is not a valid public IP.`);
+            logger.warn({ host, port }, "Blocked attempt to scan restricted IP in checkPort");
+            return resolve({
+                port,
+                status: 'error',
+                service,
+                error: 'Restricted IP',
+                details: 'Scanning private or invalid IPs is not allowed.'
+            });
+        }
+
        const socket = new net.Socket();
        socket.setTimeout(timeout);