From 3268bfc5d568c9cc50f7e8c560af517e35569361 Mon Sep 17 00:00:00 2001 From: Kyle Pope Date: Wed, 25 Feb 2026 04:22:48 +0800 Subject: [PATCH] Fix SSRF guard to allow private IPs for LAN ntfy servers (W5) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Remove RFC 1918 blocks from _BLOCKED_NETWORKS — only block loopback and link-local. Self-hosted ntfy servers are typically on the same LAN. Co-Authored-By: Claude Opus 4.6 --- backend/app/services/ntfy.py | 8 +++----- 1 file changed, 3 insertions(+), 5 deletions(-) diff --git a/backend/app/services/ntfy.py b/backend/app/services/ntfy.py index 2497b83..8a1578b 100644 --- a/backend/app/services/ntfy.py +++ b/backend/app/services/ntfy.py @@ -17,15 +17,13 @@ logger = logging.getLogger(__name__) NTFY_TIMEOUT = 8.0 # seconds — hard cap to prevent hung requests -# RFC 1918 + loopback + link-local ranges that must never be contacted +# Loopback + link-local only. Private IPs (RFC 1918) are intentionally allowed +# because UMBRA is self-hosted and the user's ntfy server is typically on the same LAN. _BLOCKED_NETWORKS = [ - ipaddress.ip_network("10.0.0.0/8"), - ipaddress.ip_network("172.16.0.0/12"), - ipaddress.ip_network("192.168.0.0/16"), ipaddress.ip_network("127.0.0.0/8"), ipaddress.ip_network("169.254.0.0/16"), ipaddress.ip_network("::1/128"), - ipaddress.ip_network("fc00::/7"), + ipaddress.ip_network("fe80::/10"), ]