mirror of
https://github.com/zhayujie/chatgpt-on-wechat.git
synced 2026-07-17 11:07:11 +08:00
The browser tool navigates to a model-supplied URL via Playwright page.goto and then auto-snapshots the page back to the model. The http(s) navigate path performed no filtering, so a model tool call (including under prompt injection) could point the agent-driven browser at the cloud-metadata endpoint (169.254.169.254) and read the credentials back through the snapshot. Unlike the vision/web_fetch tools, the browser legitimately needs local pages — a dev server on localhost / 127.0.0.1 / a LAN IP — so a blanket "block all internal" policy is the wrong default here. The guard is therefore narrow: it resolves the hostname and rejects only link-local addresses (169.254.0.0/16, which includes the 169.254.169.254 metadata endpoint, and IPv6 fe80::/10) plus the AWS IPv6 IMDS address (fd00:ec2::254), before navigation. Loopback and RFC1918/LAN stay reachable so local dev works out of the box. Only http/https targets are validated; the documented non-HTTP scheme handling (about:/data:/file:) is unchanged. An operator who deliberately needs the link-local/metadata target can opt out with tools.browser.allow_private_targets = true. tests/test_security_ssrf_browser_navigate.py asserts link-local/metadata targets are blocked while loopback, RFC1918/LAN and public targets navigate through (browser service and DNS are stubbed; no real browser/network). Signed-off-by: christop <825583681@qq.com>
7.3 KiB
7.3 KiB