mirror of
https://github.com/open-webui/open-webui.git
synced 2026-07-10 12:35:55 +02:00
The web-ingest probe in get_content_from_url validated the URL at resolve time (validate_url) but then fetched with a bare requests.get, which re-resolves the hostname at connect time. An attacker-controlled name server can answer with a public IP during validation and an internal IP at connect, reaching cloud metadata / loopback / internal services (blind always; binary content-types are read back to the caller). The connection-layer guard (#24759) that closes this for the SafeWebBaseLoader path was never mounted on this probe. Route the probe through the same _SSRFSafeAdapter the loader uses, so the resolution that feeds the TCP connect is re-validated against the global-IP check. Co-authored-by: Claude Opus 4.8 (1M context) <noreply@anthropic.com>