fix(service): skip SSRF checks for local S3 resources
Allow image segments with URLs matching the local S3 prefix to bypass SSRF validation, as internal S3 endpoints may resolve to private IP addresses that would otherwise trigger security errors.
This commit is contained in:
@@ -46,14 +46,15 @@ func (s *UploadService) ValidateChatMessageImageSegments(segments model.MessageS
|
||||
if u.Host == "" {
|
||||
return fmt.Errorf("图片地址无效")
|
||||
}
|
||||
if strings.HasPrefix(urlStr, prefix) {
|
||||
// 本站 S3 资源,跳过 SSRF 检查(内网 S3 可能解析为私有 IP)
|
||||
} else {
|
||||
if err := netutil.ValidateURL(urlStr); err != nil {
|
||||
return fmt.Errorf("图片地址不安全: %w", err)
|
||||
}
|
||||
if err := netutil.CheckResolvedHost(u.Hostname()); err != nil {
|
||||
return fmt.Errorf("图片地址不安全: %w", err)
|
||||
}
|
||||
|
||||
if !strings.HasPrefix(urlStr, prefix) {
|
||||
return fmt.Errorf("图片必须使用本站上传接口生成的资源地址")
|
||||
}
|
||||
|
||||
|
||||
Reference in New Issue
Block a user