fix: restrict .internal SSRF allowlist to host.docker.internal only

teedonk · teedonk · commit dec517dff5fc · 2026-04-06T04:57:00.000+01:00
diff --git a/apps/sim/app/api/knowledge/route.ts b/apps/sim/app/api/knowledge/route.ts
@@ -83,9 +83,10 @@ const CreateKnowledgeBaseSchema = z.object({
             }
             return false
           }
-          // Allow Docker service hostnames (no dots = not a public domain)
-          // e.g. "ollama", "host.docker.internal"
-          if (!hostname.includes('.') || hostname.endsWith('.internal')) {
+          // Allow Docker service hostnames (no dots = not a public domain, e.g. "ollama")
+          // or the well-known Docker Desktop host alias. Do NOT allow all *.internal domains —
+          // they are not universally restricted and could be DNS-resolved to cloud metadata IPs.
+          if (!hostname.includes('.') || hostname === 'host.docker.internal') {
             return true
           }
           return false

Original file line number	Diff line number	Diff line change
`@@ -83,9 +83,10 @@ const CreateKnowledgeBaseSchema = z.object({`
`83`	`83`	`}`
`84`	`84`	`return false`
`85`	`85`	`}`
`86`		`- // Allow Docker service hostnames (no dots = not a public domain)`
`87`		`- // e.g. "ollama", "host.docker.internal"`
`88`		`- if (!hostname.includes('.') \|\| hostname.endsWith('.internal')) {`
	`86`	`+ // Allow Docker service hostnames (no dots = not a public domain, e.g. "ollama")`
	`87`	`+ // or the well-known Docker Desktop host alias. Do NOT allow all *.internal domains —`
	`88`	`+ // they are not universally restricted and could be DNS-resolved to cloud metadata IPs.`
	`89`	`+ if (!hostname.includes('.') \|\| hostname === 'host.docker.internal') {`
`89`	`90`	`return true`
`90`	`91`	`}`
`91`	`92`	`return false`