From 9aa9c6304ae5d00397cce6d129458425be6dbf4f Mon Sep 17 00:00:00 2001
From: ranj3et <46235344+ranj3et@users.noreply.github.com>
Date: Sun, 20 Jul 2025 15:26:30 +0530
Subject: [PATCH 1/2] SSRF Patch

https://github.com/AIxBlock-2023/awesome-ai-dev-platform-opensource/issues/213

Signed-off-by: ranj3et <46235344+ranj3et@users.noreply.github.com>
---
 .../lib/actions/send-http-request-action.ts   | 37 ++++++++++++++-----
 1 file changed, 28 insertions(+), 9 deletions(-)

diff --git a/workflow/packages/blocks/community/http/src/lib/actions/send-http-request-action.ts b/workflow/packages/blocks/community/http/src/lib/actions/send-http-request-action.ts
index eb75f7eb..66f752ca 100644
--- a/workflow/packages/blocks/community/http/src/lib/actions/send-http-request-action.ts
+++ b/workflow/packages/blocks/community/http/src/lib/actions/send-http-request-action.ts
@@ -161,15 +161,34 @@ export const httpSendRequestAction = createAction({
     } = context.propsValue;
 
     assertNotNullOrUndefined(method, 'Method');
-    assertNotNullOrUndefined(url, 'URL');
-
-    const request: HttpRequest = {
-      method,
-      url,
-      headers: headers as HttpHeaders,
-      queryParams: queryParams as QueryParams,
-      timeout: timeout ? timeout * 1000 : 0,
-    };
+assertNotNullOrUndefined(url, 'URL');
+
+//  SSRF Patch
+  throw new Error('Invalid URL');
+}
+
+const request: HttpRequest = {
+  method,
+  url,
+  headers: headers as HttpHeaders,
+  queryParams: queryParams as QueryParams,
+  timeout: timeout ? timeout * 1000 : 0,
+};
+assertNotNullOrUndefined(method, 'Method');
+assertNotNullOrUndefined(url, 'URL');
+
+// SSRF Patch
+if (url.includes('169.254.169.254')) {
+  throw new Error('Invalid URL');
+}
+
+const request: HttpRequest = {
+  method,
+  url,
+  headers: headers as HttpHeaders,
+  queryParams: queryParams as QueryParams,
+  timeout: timeout ? timeout * 1000 : 0,
+};
     if (body) {
       const bodyInput = body['data'];
       if (body_type === 'form_data') {

From 3cb551996e4532add0bb24c2516f9fea818a0ade Mon Sep 17 00:00:00 2001
From: ranj3et <46235344+ranj3et@users.noreply.github.com>
Date: Sun, 20 Jul 2025 15:33:33 +0530
Subject: [PATCH 2/2] SSRF Patch

Hello Team,

Here is the fix of following vulnerability : https://github.com/AIxBlock-2023/awesome-ai-dev-platform-opensource/issues/213

Regards,
Ranjeet

Signed-off-by: ranj3et <46235344+ranj3et@users.noreply.github.com>
---
 .../src/lib/actions/send-http-request-action.ts    | 14 --------------
 1 file changed, 14 deletions(-)

diff --git a/workflow/packages/blocks/community/http/src/lib/actions/send-http-request-action.ts b/workflow/packages/blocks/community/http/src/lib/actions/send-http-request-action.ts
index 66f752ca..4282c3d6 100644
--- a/workflow/packages/blocks/community/http/src/lib/actions/send-http-request-action.ts
+++ b/workflow/packages/blocks/community/http/src/lib/actions/send-http-request-action.ts
@@ -160,20 +160,6 @@ export const httpSendRequestAction = createAction({
       use_proxy,
     } = context.propsValue;
 
-    assertNotNullOrUndefined(method, 'Method');
-assertNotNullOrUndefined(url, 'URL');
-
-//  SSRF Patch
-  throw new Error('Invalid URL');
-}
-
-const request: HttpRequest = {
-  method,
-  url,
-  headers: headers as HttpHeaders,
-  queryParams: queryParams as QueryParams,
-  timeout: timeout ? timeout * 1000 : 0,
-};
 assertNotNullOrUndefined(method, 'Method');
 assertNotNullOrUndefined(url, 'URL');