Allow AI chat to connect to LAN-hosted models via HTTP

Fixes #12768. Adds NSAllowsLocalNetworking to Info.plist and extends
self-hosted detection to recognize private IPv4/IPv6 addresses.

Author: gnachman

ModernTests/PrivateIPCheckerTests.swift

@@ -0,0 +1,212 @@
+import XCTest
+import Network
+@testable import iTerm2SharedARC
+
+final class PrivateIPCheckerTests: XCTestCase {
+
+    // MARK: - Localhost Tests
+
+    func testLocalhost() {
+        XCTAssertTrue(PrivateIPChecker.isLocalOrPrivate("localhost"))
+    }
+
+    func testLocalhostUppercase() {
+        // DNS names are case-insensitive, but we match exactly
+        XCTAssertFalse(PrivateIPChecker.isLocalOrPrivate("LOCALHOST"))
+    }
+
+    // MARK: - .local Domain Tests
+
+    func testLocalDomain() {
+        XCTAssertTrue(PrivateIPChecker.isLocalOrPrivate("myserver.local"))
+    }
+
+    func testLocalDomainSubdomain() {
+        XCTAssertTrue(PrivateIPChecker.isLocalOrPrivate("gpu.server.local"))
+    }
+
+    func testLocalDomainNotSuffix() {
+        // "local" appearing elsewhere shouldn't match
+        XCTAssertFalse(PrivateIPChecker.isLocalOrPrivate("local.example.com"))
+    }
+
+    // MARK: - IPv4 Loopback Tests
+
+    func testIPv4Loopback127_0_0_1() {
+        XCTAssertTrue(PrivateIPChecker.isLocalOrPrivate("127.0.0.1"))
+    }
+
+    func testIPv4Loopback127_0_0_2() {
+        XCTAssertTrue(PrivateIPChecker.isLocalOrPrivate("127.0.0.2"))
+    }
+
+    func testIPv4Loopback127_255_255_255() {
+        XCTAssertTrue(PrivateIPChecker.isLocalOrPrivate("127.255.255.255"))
+    }
+
+    // MARK: - IPv4 Private Range 10.x.x.x Tests
+
+    func testIPv4Private10_0_0_1() {
+        XCTAssertTrue(PrivateIPChecker.isLocalOrPrivate("10.0.0.1"))
+    }
+
+    func testIPv4Private10_255_255_255() {
+        XCTAssertTrue(PrivateIPChecker.isLocalOrPrivate("10.255.255.255"))
+    }
+
+    // MARK: - IPv4 Private Range 172.16-31.x.x Tests
+
+    func testIPv4Private172_16_0_1() {
+        XCTAssertTrue(PrivateIPChecker.isLocalOrPrivate("172.16.0.1"))
+    }
+
+    func testIPv4Private172_31_255_255() {
+        XCTAssertTrue(PrivateIPChecker.isLocalOrPrivate("172.31.255.255"))
+    }
+
+    func testIPv4NotPrivate172_15_0_1() {
+        // 172.15.x.x is NOT private
+        XCTAssertFalse(PrivateIPChecker.isLocalOrPrivate("172.15.0.1"))
+    }
+
+    func testIPv4NotPrivate172_32_0_1() {
+        // 172.32.x.x is NOT private
+        XCTAssertFalse(PrivateIPChecker.isLocalOrPrivate("172.32.0.1"))
+    }
+
+    // MARK: - IPv4 Private Range 192.168.x.x Tests
+
+    func testIPv4Private192_168_0_1() {
+        XCTAssertTrue(PrivateIPChecker.isLocalOrPrivate("192.168.0.1"))
+    }
+
+    func testIPv4Private192_168_255_255() {
+        XCTAssertTrue(PrivateIPChecker.isLocalOrPrivate("192.168.255.255"))
+    }
+
+    func testIPv4NotPrivate192_169_0_1() {
+        // 192.169.x.x is NOT private
+        XCTAssertFalse(PrivateIPChecker.isLocalOrPrivate("192.169.0.1"))
+    }
+
+    // MARK: - IPv4 Link-Local Tests
+
+    func testIPv4LinkLocal169_254_0_1() {
+        XCTAssertTrue(PrivateIPChecker.isLocalOrPrivate("169.254.0.1"))
+    }
+
+    func testIPv4LinkLocal169_254_255_255() {
+        XCTAssertTrue(PrivateIPChecker.isLocalOrPrivate("169.254.255.255"))
+    }
+
+    func testIPv4NotLinkLocal169_255_0_1() {
+        XCTAssertFalse(PrivateIPChecker.isLocalOrPrivate("169.255.0.1"))
+    }
+
+    // MARK: - IPv4 Public Address Tests
+
+    func testIPv4Public8_8_8_8() {
+        XCTAssertFalse(PrivateIPChecker.isLocalOrPrivate("8.8.8.8"))
+    }
+
+    func testIPv4Public1_1_1_1() {
+        XCTAssertFalse(PrivateIPChecker.isLocalOrPrivate("1.1.1.1"))
+    }
+
+    // MARK: - IPv4 Hostname Spoofing Prevention Tests
+
+    func testIPv4SpoofedHostname192_168_example_com() {
+        // Must NOT match - this is a hostname, not an IP
+        XCTAssertFalse(PrivateIPChecker.isLocalOrPrivate("192.168.example.com"))
+    }
+
+    func testIPv4SpoofedHostname10_evil_com() {
+        // Must NOT match - this is a hostname, not an IP
+        XCTAssertFalse(PrivateIPChecker.isLocalOrPrivate("10.evil.com"))
+    }
+
+    func testIPv4SpoofedHostname172_16_attacker_net() {
+        XCTAssertFalse(PrivateIPChecker.isLocalOrPrivate("172.16.attacker.net"))
+    }
+
+    // MARK: - IPv6 Loopback Tests
+
+    func testIPv6LoopbackShort() {
+        XCTAssertTrue(PrivateIPChecker.isLocalOrPrivate("::1"))
+    }
+
+    func testIPv6LoopbackFull() {
+        XCTAssertTrue(PrivateIPChecker.isLocalOrPrivate("0:0:0:0:0:0:0:1"))
+    }
+
+    func testIPv6LoopbackFullWithLeadingZeros() {
+        XCTAssertTrue(PrivateIPChecker.isLocalOrPrivate("0000:0000:0000:0000:0000:0000:0000:0001"))
+    }
+
+    // MARK: - IPv6 Link-Local Tests (fe80::/10)
+
+    func testIPv6LinkLocalFe80() {
+        XCTAssertTrue(PrivateIPChecker.isLocalOrPrivate("fe80::1"))
+    }
+
+    func testIPv6LinkLocalFe80Full() {
+        XCTAssertTrue(PrivateIPChecker.isLocalOrPrivate("fe80:0:0:0:0:0:0:1"))
+    }
+
+    func testIPv6LinkLocalFebf() {
+        // febf is still within fe80::/10
+        XCTAssertTrue(PrivateIPChecker.isLocalOrPrivate("febf::1"))
+    }
+
+    func testIPv6NotLinkLocalFec0() {
+        // fec0 is outside fe80::/10 (deprecated site-local, but not link-local)
+        XCTAssertFalse(PrivateIPChecker.isLocalOrPrivate("fec0::1"))
+    }
+
+    // MARK: - IPv6 Unique Local Tests (fc00::/7)
+
+    func testIPv6UniqueLocalFc00() {
+        XCTAssertTrue(PrivateIPChecker.isLocalOrPrivate("fc00::1"))
+    }
+
+    func testIPv6UniqueLocalFd00() {
+        XCTAssertTrue(PrivateIPChecker.isLocalOrPrivate("fd00::1"))
+    }
+
+    func testIPv6UniqueLocalFdab() {
+        XCTAssertTrue(PrivateIPChecker.isLocalOrPrivate("fdab:cdef:1234::1"))
+    }
+
+    func testIPv6NotUniqueLocalFe00() {
+        // fe00 is outside fc00::/7
+        XCTAssertFalse(PrivateIPChecker.isLocalOrPrivate("fe00::1"))
+    }
+
+    // MARK: - IPv6 Public Address Tests
+
+    func testIPv6PublicGoogle() {
+        XCTAssertFalse(PrivateIPChecker.isLocalOrPrivate("2001:4860:4860::8888"))
+    }
+
+    func testIPv6PublicCloudflare() {
+        XCTAssertFalse(PrivateIPChecker.isLocalOrPrivate("2606:4700:4700::1111"))
+    }
+
+    // MARK: - Invalid Input Tests
+
+    func testEmptyString() {
+        XCTAssertFalse(PrivateIPChecker.isLocalOrPrivate(""))
+    }
+
+    func testRandomHostname() {
+        XCTAssertFalse(PrivateIPChecker.isLocalOrPrivate("api.openai.com"))
+    }
+
+    func testInvalidIPv4TooManyOctets() {
+        XCTAssertFalse(PrivateIPChecker.isLocalOrPrivate("192.168.1.1.1"))
+    }
+
+    func testInvalidIPv4OctetOutOfRange() {
+        XCTAssertFalse(PrivateIPChecker.isLocalOrPrivate("192.168.1.256"))
+    }
+}

iTerm2.xcodeproj/project.pbxproj

@@ -928,6 +928,7 @@
 		53FF982B2093C823008688D7 /* iTermSignatureVerifier.m in Sources */ = {isa = PBXBuildFile; fileRef = 53FF98292093C823008688D7 /* iTermSignatureVerifier.m */; };
 		53FF984B20967806008688D7 /* iTermMetalDeviceProvider.h in Headers */ = {isa = PBXBuildFile; fileRef = 53FF984920967805008688D7 /* iTermMetalDeviceProvider.h */; };
 		53FF984C20967806008688D7 /* iTermMetalDeviceProvider.m in Sources */ = {isa = PBXBuildFile; fileRef = 53FF984A20967805008688D7 /* iTermMetalDeviceProvider.m */; };
+		564EA2FD15A05A60A95ABBB9 /* PrivateIPChecker.swift in Sources */ = {isa = PBXBuildFile; fileRef = 625C956DD832F4FD0D8F9715 /* PrivateIPChecker.swift */; };
 		5ECE005F1454E59B004861E9 /* PseudoTerminalRestorer.h in Headers */ = {isa = PBXBuildFile; fileRef = 5ECE005D1454E59B004861E9 /* PseudoTerminalRestorer.h */; };
 		6998793AE8C54A0EAE7D5D0F /* PillBackgroundRenderer.swift in Sources */ = {isa = PBXBuildFile; fileRef = 7F3AA921DF1744D7BA890104 /* PillBackgroundRenderer.swift */; };
 		70C067D3E9484CA9A48D69BD /* ButtonPillInfo.swift in Sources */ = {isa = PBXBuildFile; fileRef = E7E1E38CBCE5463DA81CC1CF /* ButtonPillInfo.swift */; };
@@ -5152,6 +5153,7 @@
 		DCE63F57A37160221DC5B939 /* iTermScreenshotPreviewOverlay.swift in Sources */ = {isa = PBXBuildFile; fileRef = AE6718DDCFD2CA382391CDFD /* iTermScreenshotPreviewOverlay.swift */; };
 		DDF0FD65062916F70080EF74 /* iTermApplication.h in Headers */ = {isa = PBXBuildFile; fileRef = DDF0FD63062916F70080EF74 /* iTermApplication.h */; };
 		EE293B4DA9D2204FCFDE6784 /* iTermCursorSlideAnimator.h in Sources */ = {isa = PBXBuildFile; fileRef = 889A9128E944B618CDE75E18 /* iTermCursorSlideAnimator.h */; };
+		EEBDD6CF78595292D0CF8977 /* PrivateIPCheckerTests.swift in Sources */ = {isa = PBXBuildFile; fileRef = 86F85D24451C27760B7C75BC /* PrivateIPCheckerTests.swift */; };
 		F7C626F9C65F19A1BEE800DA /* iTermWordExtractor.swift in Sources */ = {isa = PBXBuildFile; fileRef = 7BF1E9C79C30008CC546F987 /* iTermWordExtractor.swift */; };
 		FB4CEC973C7E9235362E3F26 /* iTermRemotePreferences.h in Headers */ = {isa = PBXBuildFile; fileRef = FB4CECF4AC4392B21E87A07B /* iTermRemotePreferences.h */; };
 /* End PBXBuildFile section */
@@ -6215,6 +6217,7 @@
 		53FF984A20967805008688D7 /* iTermMetalDeviceProvider.m */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.c.objc; path = iTermMetalDeviceProvider.m; sourceTree = "<group>"; };
 		5ECE005D1454E59B004861E9 /* PseudoTerminalRestorer.h */ = {isa = PBXFileReference; fileEncoding = 4; indentWidth = 4; lastKnownFileType = sourcecode.c.h; path = PseudoTerminalRestorer.h; sourceTree = "<group>"; tabWidth = 4; };
 		5ECE005E1454E59B004861E9 /* PseudoTerminalRestorer.m */ = {isa = PBXFileReference; fileEncoding = 4; indentWidth = 4; lastKnownFileType = sourcecode.c.objc; path = PseudoTerminalRestorer.m; sourceTree = "<group>"; tabWidth = 4; };
+		625C956DD832F4FD0D8F9715 /* PrivateIPChecker.swift */ = {isa = PBXFileReference; includeInIndex = 1; lastKnownFileType = sourcecode.swift; path = PrivateIPChecker.swift; sourceTree = "<group>"; };
 		698B6ED16A3CD11D402C364B /* iTermUploadIndicator.swift */ = {isa = PBXFileReference; includeInIndex = 1; lastKnownFileType = sourcecode.swift; path = sources/iTermUploadIndicator.swift; sourceTree = SOURCE_ROOT; };
 		756C32AB2597AC2E0047B3A9 /* iTermImage+Sixel.h */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.c.h; path = "iTermImage+Sixel.h"; sourceTree = "<group>"; };
 		756C32AC2597AC2E0047B3A9 /* iTermImage+Sixel.m */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.c.objc; path = "iTermImage+Sixel.m"; sourceTree = "<group>"; };
@@ -6235,6 +6238,7 @@
 		7C74C12959E7040AF3A3B12F /* iTermAnnotatedScreenshot.swift */ = {isa = PBXFileReference; includeInIndex = 1; lastKnownFileType = sourcecode.swift; path = iTermAnnotatedScreenshot.swift; sourceTree = "<group>"; };
 		7EA289FFE2BF4090A65931BA /* PillBackgroundGenerator.swift */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.swift; path = PillBackgroundGenerator.swift; sourceTree = "<group>"; };
 		7F3AA921DF1744D7BA890104 /* PillBackgroundRenderer.swift */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.swift; path = PillBackgroundRenderer.swift; sourceTree = "<group>"; };
+		86F85D24451C27760B7C75BC /* PrivateIPCheckerTests.swift */ = {isa = PBXFileReference; includeInIndex = 1; lastKnownFileType = sourcecode.swift; path = PrivateIPCheckerTests.swift; sourceTree = "<group>"; };
 		8742065A0564169600CFC3F1 /* iTerm2.app */ = {isa = PBXFileReference; explicitFileType = wrapper.application; includeInIndex = 0; path = iTerm2.app; sourceTree = BUILT_PRODUCTS_DIR; };
 		889A9128E944B618CDE75E18 /* iTermCursorSlideAnimator.h */ = {isa = PBXFileReference; includeInIndex = 1; lastKnownFileType = sourcecode.c.h; path = sources/iTermCursorSlideAnimator.h; sourceTree = SOURCE_ROOT; };
 		904AE312A0E0489899D9ECB8 /* MenuTips.xcassets */ = {isa = PBXFileReference; lastKnownFileType = folder.assetcatalog; path = MenuTips.xcassets; sourceTree = "<group>"; };
@@ -9210,8 +9214,28 @@
 /* End PBXFileReference section */
 
 /* Begin PBXFileSystemSynchronizedRootGroup section */
-		9C0F690213C696BCC28C2EDF /* PerformanceTests */ = {isa = PBXFileSystemSynchronizedRootGroup; explicitFileTypes = {}; explicitFolders = (); path = PerformanceTests; sourceTree = "<group>"; };
-		A6A723AF2DC04C2200A8115D /* ModernTests */ = {isa = PBXFileSystemSynchronizedRootGroup; explicitFileTypes = {}; explicitFolders = (); path = ModernTests; sourceTree = "<group>"; };
+		9C0F690213C696BCC28C2EDF /* PerformanceTests */ = {
+			isa = PBXFileSystemSynchronizedRootGroup;
+			exceptions = (
+			);
+			explicitFileTypes = {
+			};
+			explicitFolders = (
+			);
+			path = PerformanceTests;
+			sourceTree = "<group>";
+		};
+		A6A723AF2DC04C2200A8115D /* ModernTests */ = {
+			isa = PBXFileSystemSynchronizedRootGroup;
+			exceptions = (
+			);
+			explicitFileTypes = {
+			};
+			explicitFolders = (
+			);
+			path = ModernTests;
+			sourceTree = "<group>";
+		};
 /* End PBXFileSystemSynchronizedRootGroup section */
 
 /* Begin PBXFrameworksBuildPhase section */
@@ -9388,7 +9412,7 @@
 /* End PBXFrameworksBuildPhase section */
 
 /* Begin PBXGroup section */
-		0464AB0D006CD2EC7F000001 /* JTerminal */ = {
+		0464AB0D006CD2EC7F000001 = {
 			isa = PBXGroup;
 			children = (
 				A6B1C69D2DC15898008AD3CA /* ModernTests.xctestplan */,
@@ -9415,6 +9439,7 @@
 				1DD39AD5180B8118004E56D5 /* Frameworks */,
 				0464AB32006CD2EC7F000001 /* Products */,
 				17E422BA95C161BE34CAF68C /* ModernTests */,
+				4325D9EB31536D67A2479157 /* sources */,
 			);
 			name = JTerminal;
 			sourceTree = "<group>";
@@ -9869,6 +9894,7 @@
 				98E9463133DCF8311E0E5B6E /* iTermFindOnPageHelperTests.swift */,
 				F6601DD02DFE3C2480DFDC73 /* IntervalTreeCoordinateClampingTests.swift */,
 				F78529322C819CAD15A19251 /* IntervalTreeGraphEncodingTests.swift */,
+				86F85D24451C27760B7C75BC /* PrivateIPCheckerTests.swift */,
 			);
 			path = ModernTests;
 			sourceTree = "<group>";
@@ -10819,6 +10845,15 @@
 			name = SSKeychain;
 			sourceTree = "<group>";
 		};
+		4325D9EB31536D67A2479157 /* sources */ = {
+			isa = PBXGroup;
+			children = (
+				625C956DD832F4FD0D8F9715 /* PrivateIPChecker.swift */,
+			);
+			name = sources;
+			path = sources;
+			sourceTree = "<group>";
+		};
 		530AB7EC20AE85DE00D2AA08 /* api */ = {
 			isa = PBXGroup;
 			children = (
@@ -13412,24 +13447,6 @@
 			name = StateRestoration;
 			sourceTree = "<group>";
 		};
-		A6B07CFB3FDCC38BFB483BDA /* sources */ = {
-			isa = PBXGroup;
-			children = (
-				207C83644F1E850C9F1E918A /* iTermTouchIDHelper.swift */,
-				B231EDB860248C368A511B42 /* iTermEventTriggerEvaluator.swift */,
-				DE7B0AE10E1598EDE1E01795 /* iTermEventTriggerParameterView.swift */,
-				7BF1E9C79C30008CC546F987 /* iTermWordExtractor.swift */,
-				C08AA4008946722C3F4C67C1 /* WordSelectionAtom.swift */,
-				02CF16386D8605E6BC44ED81 /* CharacterAtomIterator.swift */,
-				76421C2E762130B690D1ADC5 /* RegexAtomIterator.swift */,
-				889A9128E944B618CDE75E18 /* iTermCursorSlideAnimator.h */,
-				479FDFE9C0F424FEC10526EC /* iTermCursorSlideAnimator.m */,
-				ED49EE365D629DAE80503BFD /* iTermNonTextPasteHelper.swift */,
-				698B6ED16A3CD11D402C364B /* iTermUploadIndicator.swift */,
-			);
-			path = sources;
-			sourceTree = "<group>";
-		};
 		A6B413FE211A488D00D28207 /* CompactWindowStyle */ = {
 			isa = PBXGroup;
 			children = (
@@ -16416,7 +16433,7 @@
 				en,
 				Base,
 			);
-			mainGroup = 0464AB0D006CD2EC7F000001 /* JTerminal */;
+			mainGroup = 0464AB0D006CD2EC7F000001;
 			packageReferences = (
 				A62E3BC62E1CC674002DF8C3 /* XCLocalSwiftPackageReference "WebExtensionsFramework" */,
 			);
@@ -20047,6 +20064,7 @@
 				D9A2368683D7DDB73A826821 /* iTermStreamingPNGWriter.m in Sources */,
 				29C503BA29752DF6A4DB2A02 /* iTermBlurRowBuffer.swift in Sources */,
 				8EA9D682DE4199E114D920A5 /* iTermStreamingScreenshotEncoder.swift in Sources */,
+				564EA2FD15A05A60A95ABBB9 /* PrivateIPChecker.swift in Sources */,
 			);
 			runOnlyForDeploymentPostprocessing = 0;
 		};
@@ -20095,9 +20113,8 @@
 			buildActionMask = 2147483647;
 			files = (
 				A6C811F42DCFD5E40088E628 /* SearchEngineTests.swift in Sources */,
-				F54DF58519DE131885375D3F /* iTermWordExtractorTest.swift in Sources */,
-				02BBB9199A50961FFEAC2D6D /* iTermFindOnPageHelperTests.swift in Sources */,
 				92738CD9A08C339E8F473394 /* IntervalTreeGraphEncodingTests.swift in Sources */,
+				EEBDD6CF78595292D0CF8977 /* PrivateIPCheckerTests.swift in Sources */,
 			);
 			runOnlyForDeploymentPostprocessing = 0;
 		};

plists/beta-iTerm2.plist

@@ -6,6 +6,8 @@
 	<dict>
             <key>NSAllowsArbitraryLoadsInWebContent</key>
             <true/>
+            <key>NSAllowsLocalNetworking</key>
+            <true/>
             <key>NSExceptionDomains</key>  
             <dict>  
                 <key>127.0.0.1</key>  

plists/dev-iTerm2.plist

@@ -6,6 +6,8 @@
 	<dict>
             <key>NSAllowsArbitraryLoadsInWebContent</key>
             <true/>
+            <key>NSAllowsLocalNetworking</key>
+            <true/>
             <key>NSExceptionDomains</key>  
             <dict>  
                 <key>127.0.0.1</key>