Skip to content

fix: pin DNS for safe axios direct requests#7261

Open
c121914yu wants to merge 5 commits into
labring:mainfrom
c121914yu:deplot-doc
Open

fix: pin DNS for safe axios direct requests#7261
c121914yu wants to merge 5 commits into
labring:mainfrom
c121914yu:deplot-doc

Conversation

@c121914yu

Copy link
Copy Markdown
Collaborator

Summary

  • add DNS pinning for safe axios direct outbound requests to close DNS rebinding TOCTOU
  • keep proxy outbound behavior with best-effort internal-address precheck
  • move workflow HTTP ignore-certificate behavior to controlled safe axios TLS option
  • add related upgrade docs

Tests

  • pnpm --dir packages/service test test/common/api/axios.test.ts test/core/workflow/dispatch/tools/http.test.ts
  • pnpm test

Copilot AI review requested due to automatic review settings July 6, 2026 07:27
@github-actions

github-actions Bot commented Jul 6, 2026

Copy link
Copy Markdown

Coverage Report

Status Category Percentage Covered / Total
🔵 Lines 19.62% 1705 / 8689
🔵 Statements 19.62% 1791 / 9127
🔵 Functions 17.5% 364 / 2080
🔵 Branches 16.44% 812 / 4938
File CoverageNo changed files found.
Generated in workflow #1282 for commit ea492e7 by the Vitest Coverage Report Action

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR hardens outbound HTTP behavior by adding DNS pinning for “safe axios” direct requests to mitigate DNS rebinding/TOCTOU, while keeping proxy-based outbound behavior intact. It also tightens WeChat publish-channel QR login/logout APIs by authorizing via outLinkId + channel-type checks, and updates workflow HTTP TLS-ignore behavior to a controlled safe-axios option.

Changes:

  • Add DNS pinning + redirect-safe SSRF checks to createProxyAxios direct-request path; introduce __safeAxios TLS option for controlled certificate ignoring.
  • Rework WeChat publish-channel QR login/logout/status endpoints and UI to use outLinkId authorization, member-bound QR cache keys, and channel-type assertions.
  • Add/adjust tests and upgrade docs to cover the new behaviors.

Reviewed changes

Copilot reviewed 30 out of 30 changed files in this pull request and generated 2 comments.

Show a summary per file
File Description
projects/app/src/pages/api/support/outLink/wechat/qrcode/status.ts Switch QR status query to outLinkId auth + member-bound cache key; return OpenAPI-typed response and disable caching.
projects/app/src/pages/api/support/outLink/wechat/qrcode/generate.ts Switch QR generation to outLinkId auth + member-bound cache key; return OpenAPI-typed response.
projects/app/src/pages/api/support/outLink/wechat/logout.ts Switch logout to outLinkId auth + channel-type assertion; align response with OpenAPI schema.
projects/app/src/pageComponents/app/detail/Publish/Wechat/QRLoginModal.tsx Update QR login modal to call new outLinkId-based APIs and adjust hooks usage.
projects/app/src/pageComponents/app/detail/Publish/Wechat/index.tsx Update publish-channel UI to pass outLinkId instead of shareId for login/logout.
packages/service/test/core/workflow/dispatch/tools/http.test.ts Update workflow HTTP-node tests to assert __safeAxios TLS option instead of injecting an agent.
packages/service/test/common/api/axios.test.ts Add DNS pinning test coverage for direct requests, redirects, and proxy-path behavior.
packages/service/support/outLink/wechat/utils.ts Add assertWechatOutLink to enforce WeChat channel type boundary on WeChat endpoints.
packages/service/support/outLink/wechat/qrcode.ts Centralize QR cache key generation: publish:wechat:qrcode:${outLinkId}:${tmbId}.
packages/service/support/outLink/wechat/mq.ts Add more logging around poll scheduling/execution and cleanup old jobs on restart.
packages/service/support/outLink/wechat/ilinkClient.ts Improve fetch error formatting and remove manual Content-Length header handling.
packages/service/core/workflow/dispatch/tools/http468.ts Emit __safeAxios TLS option for HTTP node’s ignore-certificate setting.
packages/service/common/system/utils.ts Re-export isInternalResolvedIP for post-DNS-resolution checks.
packages/service/common/api/axios.ts Implement DNS pinning for direct requests, preserve proxy behavior, and add __safeAxios request options.
packages/global/openapi/support/outLink/index.ts Register OpenAPI paths/schemas for WeChat QR generate/status and logout APIs.
packages/global/openapi/support/outLink/api.ts Add OpenAPI zod schemas/types for WeChat QR generate/status and logout APIs.
document/data/doc-last-modified.json Update doc modified timestamps for new/changed docs.
document/content/toc.mdx Add new upgrade pages to Chinese TOC.
document/content/toc.en.mdx Add new upgrade pages to English TOC.
document/content/self-host/upgrading/4-15/meta.json Include 4.15.2 page in Chinese upgrade meta.
document/content/self-host/upgrading/4-15/meta.en.json Include 4.15.2 page in English upgrade meta.
document/content/self-host/upgrading/4-15/4152.mdx Add 4.15.2 (in progress) release notes page (CN).
document/content/self-host/upgrading/4-15/4151.mdx Mark 4.15.1 as no longer “in progress” (CN).
document/content/self-host/upgrading/4-15/4151.en.mdx Mark 4.15.1 as no longer “in progress” (EN).
document/content/self-host/upgrading/4-14/meta.json Include 4.14.28/4.14.29 pages in Chinese upgrade meta.
document/content/self-host/upgrading/4-14/meta.en.json Include 4.14.28/4.14.29 pages in English upgrade meta.
document/content/self-host/upgrading/4-14/41429.mdx Add 4.14.29 release notes page (CN).
document/content/self-host/upgrading/4-14/41429.en.mdx Add 4.14.29 release notes page (EN).
document/content/self-host/upgrading/4-14/41428.mdx Add 4.14.28 release notes page (CN).
document/content/self-host/upgrading/4-14/41428.en.mdx Add 4.14.28 release notes page (EN).

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Comment on lines +167 to +178
const isRequestUsingProxy = (requestUrl: string, config: AxiosRequestConfig): boolean => {
if (config.proxy) {
return true;
}

try {
return getProxyForUrl(requestUrl).length > 0;
} catch {
// 代理判断失败时按可能走代理处理,避免误覆盖代理配置。
return true;
}
};
Comment on lines +222 to +227
logger.debug('Wechat poll job scheduled', {
shareId,
jobId: job.id,
delayMs,
jobState: await job.getState().catch(() => undefined)
});
@github-actions

github-actions Bot commented Jul 6, 2026

Copy link
Copy Markdown

Admin Preview Image Ready!

ghcr.io/labring/fastgpt-pr:admin_ea492e735b9ab9f0e7e9b3ec12a485abd22b001b

🕒 Time: 2026-07-06 22:19:25 (UTC+8)

@github-actions

github-actions Bot commented Jul 6, 2026

Copy link
Copy Markdown

Build Successful - Preview fastgpt Image for this PR:

ghcr.io/labring/fastgpt-pr:fastgpt_f54edb0f74d57f12431b2237a8f600332eb0b5f1

🕒 Time: 2026-07-06 18:11:15 (UTC+8)

@github-actions

github-actions Bot commented Jul 6, 2026

Copy link
Copy Markdown

Docs Preview Deployed!

🔗 👀 Click here to visit preview

ghcr.io/labring/fastgpt-docs-pr:ea492e735b9ab9f0e7e9b3ec12a485abd22b001b

🕒 Time: 2026-07-06 22:16:53 (UTC+8)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants