fix(service): skip SSRF checks for local S3 resources
All checks were successful
Build Backend / build (push) Successful in 2m21s
Build Backend / build-docker (push) Successful in 1m37s

Allow image segments with URLs matching the local S3 prefix to bypass
SSRF validation, as internal S3 endpoints may resolve to private IP
addresses that would otherwise trigger security errors.
This commit is contained in:
2026-05-05 20:51:35 +08:00
parent af1ecaf71e
commit d481742790

View File

@@ -46,14 +46,15 @@ func (s *UploadService) ValidateChatMessageImageSegments(segments model.MessageS
if u.Host == "" {
return fmt.Errorf("图片地址无效")
}
if err := netutil.ValidateURL(urlStr); err != nil {
return fmt.Errorf("图片地址不安全: %w", err)
}
if err := netutil.CheckResolvedHost(u.Hostname()); err != nil {
return fmt.Errorf("图片地址不安全: %w", err)
}
if !strings.HasPrefix(urlStr, prefix) {
if strings.HasPrefix(urlStr, prefix) {
// 本站 S3 资源,跳过 SSRF 检查(内网 S3 可能解析为私有 IP
} else {
if err := netutil.ValidateURL(urlStr); err != nil {
return fmt.Errorf("图片地址不安全: %w", err)
}
if err := netutil.CheckResolvedHost(u.Hostname()); err != nil {
return fmt.Errorf("图片地址不安全: %w", err)
}
return fmt.Errorf("图片必须使用本站上传接口生成的资源地址")
}