Trek_CN/client
jubnl 7a314a92b1
fix: add SSRF protection for link preview and Immich URL
- Create server/src/utils/ssrfGuard.ts with checkSsrf() and createPinnedAgent()
  - Resolves DNS before allowing outbound requests to catch hostnames that
    map to private IPs (closes the TOCTOU gap in the old inline checks)
  - Always blocks loopback (127.x, ::1) and link-local/metadata (169.254.x)
  - RFC-1918, CGNAT (100.64/10), and IPv6 ULA ranges blocked by default;
    opt-in via ALLOW_INTERNAL_NETWORK=true for self-hosters running Immich
    on a local network
  - createPinnedAgent() pins node-fetch to the validated IP, preventing
    DNS rebinding between the check and the actual connection

- Replace isValidImmichUrl() (hostname-string check, no DNS resolution)
  with checkSsrf(); make PUT /integrations/immich/settings async
  - Audit log entry (immich.private_ip_configured) written when a user
    saves an Immich URL that resolves to a private IP
  - Response includes a warning field surfaced as a toast in the UI

- Replace ~20 lines of duplicated inline SSRF logic in the link-preview
  handler with a single checkSsrf() call + pinned agent

- Document ALLOW_INTERNAL_NETWORK in README, docker-compose.yml,
  server/.env.example, chart/values.yaml, chart/templates/configmap.yaml,
  and chart/README.md
2026-04-01 07:59:03 +02:00
..
public v2.6.2 — TREK Rebrand, OSM Enrichment, File Management, Hotel Bookings & Bug Fixes 2026-03-28 16:38:08 +01:00
scripts Add PWA support for iOS home screen install 2026-03-21 22:21:23 +01:00
src fix: add SSRF protection for link preview and Immich URL 2026-04-01 07:59:03 +02:00
index.html fix: harden PWA caching and client-side auth security 2026-03-31 00:33:58 +00:00
package-lock.json feat: adds better gpx track views 2026-03-31 10:29:49 +02:00
package.json chore: bump version to 2.7.1 2026-03-30 21:25:35 +02:00
postcss.config.js Initial commit — NOMAD (Navigation Organizer for Maps, Activities & Destinations) 2026-03-18 23:58:08 +01:00
tailwind.config.js Initial commit — NOMAD (Navigation Organizer for Maps, Activities & Destinations) 2026-03-18 23:58:08 +01:00
tsconfig.json refactoring: TypeScript migration, security fixes, 2026-03-27 18:40:18 +01:00
vite.config.js fix: harden PWA caching and client-side auth security 2026-03-31 00:33:58 +00:00