Skip to content

fix: strengthen SSRF guard IPv6 coverage and replace Math.random() session IDs with crypto.randomUUID()#217

Open
HugoWong528 wants to merge 6 commits intoTHU-MAIC:mainfrom
HugoWong528:main
Open

fix: strengthen SSRF guard IPv6 coverage and replace Math.random() session IDs with crypto.randomUUID()#217
HugoWong528 wants to merge 6 commits intoTHU-MAIC:mainfrom
HugoWong528:main

Conversation

@HugoWong528
Copy link

@HugoWong528 HugoWong528 commented Mar 23, 2026

Summary

This PR addresses two critical security vulnerabilities by strengthening the SSRF guard's IPv6 handling and upgrading session ID generation to a cryptographically secure method.

Related Issues

  • Fixes SSRF (CWE-918)
  • Fixes Weak Random (CWE-338)

Changes

  • lib/server/ssrf-guard.ts:
    • Implement extractIPv4FromMappedIPv6() to unwrap IPv4-mapped IPv6 addresses (e.g., ::ffff:127.0.0.1), ensuring they can't bypass IPv4 blocklists.
    • Restricted IPv6 specific checks (unique-local, link-local) to hostnames containing colons to prevent false positives on standard domains.
    • Added explicit blocking for loopback variants :: and 0:0:0:0:0:0:0:0.
  • components/chat/use-chat-sessions.ts:
    • Migrated from Math.random() to crypto.randomUUID() for session ID generation to ensure non-predictability.

Type of Change

  • Bug fix (non-breaking change that fixes an issue)
  • New feature (non-breaking change that adds functionality)
  • Breaking change (fix or feature that would cause existing functionality to change)
  • Documentation update
  • Refactoring (no functional changes)
  • CI/CD or build changes

Verification

Steps to reproduce / test

  1. Deploy the changes to a local environment.
  2. Attempt to bypass the SSRF guard using mapped addresses: curl -X POST /api/fetch?url=http://[::ffff:127.0.0.1]/.
  3. Create new chat sessions and inspect the localStorage or session store to verify IDs follow the UUID v4 format.

What you personally verified

  • Manually verified that http://[::ffff:127.0.0.1]/ and http://[::ffff:7f00:1]/ are correctly blocked.
  • Verified that legitimate external requests (e.g., https://api.openai.com) are unaffected.
  • Confirmed that session IDs are now generated using the Web Crypto API.

Evidence

  • CI passes (pnpm check && pnpm lint && npx tsc --noEmit)
  • Manually tested locally
  • Screenshots / recordings attached (if UI changes)

Checklist

  • My code follows the project's coding style
  • I have performed a self-review of my code
  • I have added/updated documentation as needed
  • My changes do not introduce new warnings

Copilot AI and others added 6 commits March 22, 2026 10:55
@HugoWong528
fix: strengthen SSRF guard IPv6 coverage and replace Math.random() se…
04c6d34 
…ssion IDs with crypto.randomUUID()

Co-authored-by: HugoWong528 <267603037+HugoWong528@users.noreply.github.com>
Agent-Logs-Url: https://github.com/HugoWong528/OpenMAIC/sessions/11d0af47-a7c4-419c-bb94-639f2f7b95cb
@HugoWong528
Merge pull request #1 from HugoWong528/copilot/check-data-security-is…
5161e40 
…sues

fix: close SSRF IPv6 bypass and replace Math.random() session IDs with crypto.randomUUID()
@HugoWong528
Add files via upload
1678796
@HugoWong528
Add pollinations provider setup files
6d1cc45 
Co-authored-by: HugoWong528 <267603037+HugoWong528@users.noreply.github.com>
Agent-Logs-Url: https://github.com/HugoWong528/OpenMAIC/sessions/1fd593d7-2186-4bbe-a7a4-db05325901fa
@HugoWong528
Add Pollinations.ai as a built-in provider
89e5f5e 
Co-authored-by: HugoWong528 <267603037+HugoWong528@users.noreply.github.com>
Agent-Logs-Url: https://github.com/HugoWong528/OpenMAIC/sessions/1fd593d7-2186-4bbe-a7a4-db05325901fa
@HugoWong528
Merge pull request #2 from HugoWong528/copilot/add-apidocs-endpoint
31bbd2c 
Add Pollinations.ai as a built-in LLM provider
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@HugoWong528