Fix SSRF guard to allow private IPs for LAN ntfy servers (W5)

Remove RFC 1918 blocks from _BLOCKED_NETWORKS — only block loopback and link-local. Self-hosted ntfy servers are typically on the same LAN. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-02-25 04:22:48 +08:00 · 2026-02-25 04:22:48 +08:00 · 3268bfc5d5
commit 3268bfc5d5
parent 6ad6056125
1 changed files with 3 additions and 5 deletions
--- a/backend/app/services/ntfy.py
+++ b/backend/app/services/ntfy.py
@ -17,15 +17,13 @@ logger = logging.getLogger(__name__)

 NTFY_TIMEOUT = 8.0  # seconds — hard cap to prevent hung requests

-# RFC 1918 + loopback + link-local ranges that must never be contacted
+# Loopback + link-local only. Private IPs (RFC 1918) are intentionally allowed
+# because UMBRA is self-hosted and the user's ntfy server is typically on the same LAN.
 _BLOCKED_NETWORKS = [
-    ipaddress.ip_network("10.0.0.0/8"),
-    ipaddress.ip_network("172.16.0.0/12"),
-    ipaddress.ip_network("192.168.0.0/16"),
    ipaddress.ip_network("127.0.0.0/8"),
    ipaddress.ip_network("169.254.0.0/16"),
    ipaddress.ip_network("::1/128"),
-    ipaddress.ip_network("fc00::/7"),
+    ipaddress.ip_network("fe80::/10"),
 ]