From d481742790b96cd2cdcaaea15b3a667fc4a0d5a9 Mon Sep 17 00:00:00 2001 From: lan Date: Tue, 5 May 2026 20:51:35 +0800 Subject: [PATCH] fix(service): skip SSRF checks for local S3 resources Allow image segments with URLs matching the local S3 prefix to bypass SSRF validation, as internal S3 endpoints may resolve to private IP addresses that would otherwise trigger security errors. --- internal/service/message_segment_image.go | 17 +++++++++-------- 1 file changed, 9 insertions(+), 8 deletions(-) diff --git a/internal/service/message_segment_image.go b/internal/service/message_segment_image.go index 66e1f09..0923edf 100644 --- a/internal/service/message_segment_image.go +++ b/internal/service/message_segment_image.go @@ -46,14 +46,15 @@ func (s *UploadService) ValidateChatMessageImageSegments(segments model.MessageS if u.Host == "" { return fmt.Errorf("图片地址无效") } - if err := netutil.ValidateURL(urlStr); err != nil { - return fmt.Errorf("图片地址不安全: %w", err) - } - if err := netutil.CheckResolvedHost(u.Hostname()); err != nil { - return fmt.Errorf("图片地址不安全: %w", err) - } - - if !strings.HasPrefix(urlStr, prefix) { + if strings.HasPrefix(urlStr, prefix) { + // 本站 S3 资源,跳过 SSRF 检查(内网 S3 可能解析为私有 IP) + } else { + if err := netutil.ValidateURL(urlStr); err != nil { + return fmt.Errorf("图片地址不安全: %w", err) + } + if err := netutil.CheckResolvedHost(u.Hostname()); err != nil { + return fmt.Errorf("图片地址不安全: %w", err) + } return fmt.Errorf("图片必须使用本站上传接口生成的资源地址") }