Fix SSRF/credential forwarding via client-supplied baseUrl#30
Merged
cosarah merged 2 commits intoTHU-MAIC:mainfrom Mar 17, 2026
Merged
Fix SSRF/credential forwarding via client-supplied baseUrl#30cosarah merged 2 commits intoTHU-MAIC:mainfrom
cosarah merged 2 commits intoTHU-MAIC:mainfrom
Conversation
cosarah
force-pushed
the
fix/ssrf-credential-forwarding
branch
from
69e76d3 to
bd6d2d5
Compare
cosarah
approved these changes
Mar 17, 2026
Collaborator
cosarah
left a comment
cosarah
left a comment
There was a problem hiding this comment.
LGTM. 核心修复逻辑正确:
- 禁止 server key + client baseUrl 组合 — 10 个路由全部覆盖,避免凭据泄露
- SSRF 校验仅生产环境生效 — 合理,不影响本地开发
- verify-pdf-provider 禁用 redirect — 该路由是唯一直接
fetch的 verify 路由,其他 verify 路由由 SDK 控制,无需额外处理
已本地验证,功能正常。
YizukiAme
pushed a commit
to YizukiAme/OpenMAIC
that referenced
this pull request
Mar 18, 2026
* Fix SSRF/credential forwarding via client-supplied baseUrl * chore: format SSRF fix
cosarah
added a commit
that referenced
this pull request
Mar 19, 2026
* feat: add pan, zoom, and auto-fit to whiteboard canvas When AI generates whiteboard elements that exceed the fixed 1000x562.5 canvas, content was clipped by overflow-hidden with no way to view it. This commit adds interactive navigation to the whiteboard: - Auto-fit: when elements overflow, content is scaled and centered to ensure nothing is clipped (with 24px padding) - Drag-to-pan: hold and drag to pan around the whiteboard - Scroll-to-zoom: mouse wheel zooms in/out (0.2x to 5x range) - Double-click or Reset View button to return to default view - View auto-resets when new whiteboard content loads When content fits within the canvas, behavior is unchanged - no extra cursor, no transforms, no visual regression. Fixes #19 * fix: correct pan tracking math and reset button event propagation * fix: guard against zero containerScale and fix zoom docstring * fix: cleanup reviewer feedback and disable pan/zoom on empty whiteboard - Remove dead code: ?? 'Reset View' fallback (i18n key exists) - Add useMemo for elementsKey (perf optimization) - Fix el.height type narrowing (remove implicit any) - Disable pan/zoom/cursor when whiteboard is empty (UX improvement) * docs: revamp OpenClaw TIP section with playful copy and clearer install flow Restructure the OpenClaw quickstart: install skill first, then pick mode. Add meme-style nudge for OpenClaw to star the repo. Enlarge logo and put "OpenClaw" in the TIP heading for visibility. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> * fix(build): use cross-platform file copy in mathml2omml (#20) * fix(build): use cross-platform file copy in mathml2omml build script Replace Unix `cp` with Node.js `fs.copyFileSync` so that `pnpm install` works correctly on Windows where `cp` is not available. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> * chore: add .worktrees to .gitignore Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> --------- Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com> * fix(build):Next.js 16 要求 Node.js >= 20.9.0 (#21) * fix(build): 1、README.md / README-zh.md — Node.js 版本要求 >= 18 → >= 20 2、package.json — 新增 engines: { node: ">=20.9.0" } 3、ci.yml — node-version: 20 → 22(与 Dockerfile 一致) 4、.nvmrc — 新建,内容 22 Co-authored-by: humingfeng <humfsss@gmail.com> * Update Vercel configuration by removing bodyParser (#45) Removed bodyParser configuration from Vercel functions. * Fix SSRF/credential forwarding via client-supplied baseUrl (#30) * Fix SSRF/credential forwarding via client-supplied baseUrl * chore: format SSRF fix * fix: tighten whiteboard pan and auto-fit bounds * refactor: reset whiteboard viewport via keyed remount * fix: preserve viewport while whiteboard content streams * feat: add scroll-to-zoom interaction hint on whiteboard * feat: add pan, zoom, and auto-fit to whiteboard canvas When AI generates whiteboard elements that exceed the fixed 1000x562.5 canvas, content was clipped by overflow-hidden with no way to view it. This commit adds interactive navigation to the whiteboard: - Auto-fit: when elements overflow, content is scaled and centered to ensure nothing is clipped (with 24px padding) - Drag-to-pan: hold and drag to pan around the whiteboard - Scroll-to-zoom: mouse wheel zooms in/out (0.2x to 5x range) - Double-click or Reset View button to return to default view - View auto-resets when new whiteboard content loads When content fits within the canvas, behavior is unchanged - no extra cursor, no transforms, no visual regression. Fixes #19 * fix: correct pan tracking math and reset button event propagation * fix: guard against zero containerScale and fix zoom docstring * fix: cleanup reviewer feedback and disable pan/zoom on empty whiteboard - Remove dead code: ?? 'Reset View' fallback (i18n key exists) - Add useMemo for elementsKey (perf optimization) - Fix el.height type narrowing (remove implicit any) - Disable pan/zoom/cursor when whiteboard is empty (UX improvement) * fix: tighten whiteboard pan and auto-fit bounds * refactor: reset whiteboard viewport via keyed remount * fix: preserve viewport while whiteboard content streams * feat: add scroll-to-zoom interaction hint on whiteboard * fix: avoid synchronous setState in useEffect for hint visibility --------- Co-authored-by: wyuc <wang-yc24@mails.tsinghua.edu.cn> Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com> Co-authored-by: 杨慎 <117187635+cosarah@users.noreply.github.com> Co-authored-by: 1/2极客 <humf@vip.qq.com> Co-authored-by: humingfeng <humfsss@gmail.com> Co-authored-by: Rowtion <65099725+Rowtion@users.noreply.github.com> Co-authored-by: Wing900 <167857578+Wing900@users.noreply.github.com>
zhenzhu143321
pushed a commit
to zhenzhu143321/OpenMAIC
that referenced
this pull request
Apr 4, 2026
* feat: add pan, zoom, and auto-fit to whiteboard canvas When AI generates whiteboard elements that exceed the fixed 1000x562.5 canvas, content was clipped by overflow-hidden with no way to view it. This commit adds interactive navigation to the whiteboard: - Auto-fit: when elements overflow, content is scaled and centered to ensure nothing is clipped (with 24px padding) - Drag-to-pan: hold and drag to pan around the whiteboard - Scroll-to-zoom: mouse wheel zooms in/out (0.2x to 5x range) - Double-click or Reset View button to return to default view - View auto-resets when new whiteboard content loads When content fits within the canvas, behavior is unchanged - no extra cursor, no transforms, no visual regression. Fixes THU-MAIC#19 * fix: correct pan tracking math and reset button event propagation * fix: guard against zero containerScale and fix zoom docstring * fix: cleanup reviewer feedback and disable pan/zoom on empty whiteboard - Remove dead code: ?? 'Reset View' fallback (i18n key exists) - Add useMemo for elementsKey (perf optimization) - Fix el.height type narrowing (remove implicit any) - Disable pan/zoom/cursor when whiteboard is empty (UX improvement) * docs: revamp OpenClaw TIP section with playful copy and clearer install flow Restructure the OpenClaw quickstart: install skill first, then pick mode. Add meme-style nudge for OpenClaw to star the repo. Enlarge logo and put "OpenClaw" in the TIP heading for visibility. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> * fix(build): use cross-platform file copy in mathml2omml (THU-MAIC#20) * fix(build): use cross-platform file copy in mathml2omml build script Replace Unix `cp` with Node.js `fs.copyFileSync` so that `pnpm install` works correctly on Windows where `cp` is not available. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> * chore: add .worktrees to .gitignore Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> --------- Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com> * fix(build):Next.js 16 要求 Node.js >= 20.9.0 (THU-MAIC#21) * fix(build): 1、README.md / README-zh.md — Node.js 版本要求 >= 18 → >= 20 2、package.json — 新增 engines: { node: ">=20.9.0" } 3、ci.yml — node-version: 20 → 22(与 Dockerfile 一致) 4、.nvmrc — 新建,内容 22 Co-authored-by: humingfeng <humfsss@gmail.com> * Update Vercel configuration by removing bodyParser (THU-MAIC#45) Removed bodyParser configuration from Vercel functions. * Fix SSRF/credential forwarding via client-supplied baseUrl (THU-MAIC#30) * Fix SSRF/credential forwarding via client-supplied baseUrl * chore: format SSRF fix * fix: tighten whiteboard pan and auto-fit bounds * refactor: reset whiteboard viewport via keyed remount * fix: preserve viewport while whiteboard content streams * feat: add scroll-to-zoom interaction hint on whiteboard * feat: add pan, zoom, and auto-fit to whiteboard canvas When AI generates whiteboard elements that exceed the fixed 1000x562.5 canvas, content was clipped by overflow-hidden with no way to view it. This commit adds interactive navigation to the whiteboard: - Auto-fit: when elements overflow, content is scaled and centered to ensure nothing is clipped (with 24px padding) - Drag-to-pan: hold and drag to pan around the whiteboard - Scroll-to-zoom: mouse wheel zooms in/out (0.2x to 5x range) - Double-click or Reset View button to return to default view - View auto-resets when new whiteboard content loads When content fits within the canvas, behavior is unchanged - no extra cursor, no transforms, no visual regression. Fixes THU-MAIC#19 * fix: correct pan tracking math and reset button event propagation * fix: guard against zero containerScale and fix zoom docstring * fix: cleanup reviewer feedback and disable pan/zoom on empty whiteboard - Remove dead code: ?? 'Reset View' fallback (i18n key exists) - Add useMemo for elementsKey (perf optimization) - Fix el.height type narrowing (remove implicit any) - Disable pan/zoom/cursor when whiteboard is empty (UX improvement) * fix: tighten whiteboard pan and auto-fit bounds * refactor: reset whiteboard viewport via keyed remount * fix: preserve viewport while whiteboard content streams * feat: add scroll-to-zoom interaction hint on whiteboard * fix: avoid synchronous setState in useEffect for hint visibility --------- Co-authored-by: wyuc <wang-yc24@mails.tsinghua.edu.cn> Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com> Co-authored-by: 杨慎 <117187635+cosarah@users.noreply.github.com> Co-authored-by: 1/2极客 <humf@vip.qq.com> Co-authored-by: humingfeng <humfsss@gmail.com> Co-authored-by: Rowtion <65099725+Rowtion@users.noreply.github.com> Co-authored-by: Wing900 <167857578+Wing900@users.noreply.github.com>
jaumemir
pushed a commit
to jaumemir/OpenMAIC
that referenced
this pull request
Apr 8, 2026
* Fix SSRF/credential forwarding via client-supplied baseUrl * chore: format SSRF fix
jaumemir
pushed a commit
to jaumemir/OpenMAIC
that referenced
this pull request
Apr 8, 2026
* feat: add pan, zoom, and auto-fit to whiteboard canvas When AI generates whiteboard elements that exceed the fixed 1000x562.5 canvas, content was clipped by overflow-hidden with no way to view it. This commit adds interactive navigation to the whiteboard: - Auto-fit: when elements overflow, content is scaled and centered to ensure nothing is clipped (with 24px padding) - Drag-to-pan: hold and drag to pan around the whiteboard - Scroll-to-zoom: mouse wheel zooms in/out (0.2x to 5x range) - Double-click or Reset View button to return to default view - View auto-resets when new whiteboard content loads When content fits within the canvas, behavior is unchanged - no extra cursor, no transforms, no visual regression. Fixes THU-MAIC#19 * fix: correct pan tracking math and reset button event propagation * fix: guard against zero containerScale and fix zoom docstring * fix: cleanup reviewer feedback and disable pan/zoom on empty whiteboard - Remove dead code: ?? 'Reset View' fallback (i18n key exists) - Add useMemo for elementsKey (perf optimization) - Fix el.height type narrowing (remove implicit any) - Disable pan/zoom/cursor when whiteboard is empty (UX improvement) * docs: revamp OpenClaw TIP section with playful copy and clearer install flow Restructure the OpenClaw quickstart: install skill first, then pick mode. Add meme-style nudge for OpenClaw to star the repo. Enlarge logo and put "OpenClaw" in the TIP heading for visibility. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> * fix(build): use cross-platform file copy in mathml2omml (THU-MAIC#20) * fix(build): use cross-platform file copy in mathml2omml build script Replace Unix `cp` with Node.js `fs.copyFileSync` so that `pnpm install` works correctly on Windows where `cp` is not available. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> * chore: add .worktrees to .gitignore Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> --------- Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com> * fix(build):Next.js 16 要求 Node.js >= 20.9.0 (THU-MAIC#21) * fix(build): 1、README.md / README-zh.md — Node.js 版本要求 >= 18 → >= 20 2、package.json — 新增 engines: { node: ">=20.9.0" } 3、ci.yml — node-version: 20 → 22(与 Dockerfile 一致) 4、.nvmrc — 新建,内容 22 Co-authored-by: humingfeng <humfsss@gmail.com> * Update Vercel configuration by removing bodyParser (THU-MAIC#45) Removed bodyParser configuration from Vercel functions. * Fix SSRF/credential forwarding via client-supplied baseUrl (THU-MAIC#30) * Fix SSRF/credential forwarding via client-supplied baseUrl * chore: format SSRF fix * fix: tighten whiteboard pan and auto-fit bounds * refactor: reset whiteboard viewport via keyed remount * fix: preserve viewport while whiteboard content streams * feat: add scroll-to-zoom interaction hint on whiteboard * feat: add pan, zoom, and auto-fit to whiteboard canvas When AI generates whiteboard elements that exceed the fixed 1000x562.5 canvas, content was clipped by overflow-hidden with no way to view it. This commit adds interactive navigation to the whiteboard: - Auto-fit: when elements overflow, content is scaled and centered to ensure nothing is clipped (with 24px padding) - Drag-to-pan: hold and drag to pan around the whiteboard - Scroll-to-zoom: mouse wheel zooms in/out (0.2x to 5x range) - Double-click or Reset View button to return to default view - View auto-resets when new whiteboard content loads When content fits within the canvas, behavior is unchanged - no extra cursor, no transforms, no visual regression. Fixes THU-MAIC#19 * fix: correct pan tracking math and reset button event propagation * fix: guard against zero containerScale and fix zoom docstring * fix: cleanup reviewer feedback and disable pan/zoom on empty whiteboard - Remove dead code: ?? 'Reset View' fallback (i18n key exists) - Add useMemo for elementsKey (perf optimization) - Fix el.height type narrowing (remove implicit any) - Disable pan/zoom/cursor when whiteboard is empty (UX improvement) * fix: tighten whiteboard pan and auto-fit bounds * refactor: reset whiteboard viewport via keyed remount * fix: preserve viewport while whiteboard content streams * feat: add scroll-to-zoom interaction hint on whiteboard * fix: avoid synchronous setState in useEffect for hint visibility --------- Co-authored-by: wyuc <wang-yc24@mails.tsinghua.edu.cn> Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com> Co-authored-by: 杨慎 <117187635+cosarah@users.noreply.github.com> Co-authored-by: 1/2极客 <humf@vip.qq.com> Co-authored-by: humingfeng <humfsss@gmail.com> Co-authored-by: Rowtion <65099725+Rowtion@users.noreply.github.com> Co-authored-by: Wing900 <167857578+Wing900@users.noreply.github.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
问题:当前实现允许客户端传入 baseUrl,同时在未提供 apiKey 时会回退使用服务器环境变量 key,导致服务器可能携带自己的 key 请求攻击者控制的地址(凭据泄露/SSRF)。
修复:禁止 ‘server key + client baseUrl’ 组合:只要自定义 baseUrl,就必须显式提供客户端 key;生产环境增加 SSRF 校验,并对连通性检查禁用重定向。
EN:Description:
Currently, the system allows clients to provide a custom baseUrl. If no apiKey is provided, it falls back to the server's environment variable, which could lead to API key leakage to attacker-controlled endpoints (Credential Leakage/SSRF).
Fixes: 1. Prohibit the combination of 'server-side key + client-provided baseUrl'. 2. Integrated SSRF validation in production environments. 3. Disabled redirects in connectivity checks to further mitigate SSRF risks.