#21145: fix(security): use SSRF guard for node camera URL downloads
cli
size: S
Cluster:
SSRF Protection Enhancements
## Problem
`writeUrlToFile()` in `src/cli/nodes-camera.ts` fetched arbitrary URLs from node payloads using bare `fetch()` without SSRF protection.
A malicious or compromised node could return a `payload.url` pointing to internal/private network endpoints, causing the gateway to make requests to those targets.
## Fix
Replace `fetch()` with `fetchWithSsrFGuard()` to enforce:
- Private IP/hostname blocking
- DNS rebinding protection
- Redirect validation
## Note
This will block requests to private/internal IPs by default. If there are use cases where nodes legitimately return internal URLs (e.g., self-hosted storage), a `policy.allowPrivateNetwork` passthrough may be needed.
## Testing
Build passes. Existing SSRF guard tests cover the underlying protection.
## Related
Issue: #21151
Most Similar PRs
#19525: security: add SSRF validation for external URLs
by Mozzzaic · 2026-02-17
69.7%
#8305: fix(browser): add SSRF protection to browser navigation
by yubrew · 2026-02-03
65.1%
#8228: fix(link-understanding): block private IPs and internal hostnames i...
by yubrew · 2026-02-03
64.8%
#11086: fix(mattermost): allow private network for inbound media download
by oskarmodig · 2026-02-07
63.0%
#22644: feat(web-fetch): add allowPrivateNetwork config for web_fetch
by qingxuecc · 2026-02-21
61.4%
#23598: fix(msteams): add SSRF protection to attachment downloads via redir...
by lewiswigmore · 2026-02-22
60.8%
#21436: fix(gateway): plaintext ws:// blocked for Docker bind=lan (SECURITY...
by xinhuagu · 2026-02-19
59.3%
#21326: Security/UI: harden Control UI gatewayUrl URL overrides
by bmendonca3 · 2026-02-19
59.1%
#11812: fix: MSTeams attachment fetch follows redirects before allowlist ch...
by coygeek · 2026-02-08
59.0%
#16144: fix: respect HTTP_PROXY/HTTPS_PROXY in SSRF-protected fetch (#2102)
by battman21 · 2026-02-14
58.5%