fix: pin DNS for safe axios direct requests#7261
Conversation
Coverage Report
File CoverageNo changed files found. |
There was a problem hiding this comment.
Pull request overview
This PR hardens outbound HTTP behavior by adding DNS pinning for “safe axios” direct requests to mitigate DNS rebinding/TOCTOU, while keeping proxy-based outbound behavior intact. It also tightens WeChat publish-channel QR login/logout APIs by authorizing via outLinkId + channel-type checks, and updates workflow HTTP TLS-ignore behavior to a controlled safe-axios option.
Changes:
- Add DNS pinning + redirect-safe SSRF checks to
createProxyAxiosdirect-request path; introduce__safeAxiosTLS option for controlled certificate ignoring. - Rework WeChat publish-channel QR login/logout/status endpoints and UI to use
outLinkIdauthorization, member-bound QR cache keys, and channel-type assertions. - Add/adjust tests and upgrade docs to cover the new behaviors.
Reviewed changes
Copilot reviewed 30 out of 30 changed files in this pull request and generated 2 comments.
Show a summary per file
| File | Description |
|---|---|
| projects/app/src/pages/api/support/outLink/wechat/qrcode/status.ts | Switch QR status query to outLinkId auth + member-bound cache key; return OpenAPI-typed response and disable caching. |
| projects/app/src/pages/api/support/outLink/wechat/qrcode/generate.ts | Switch QR generation to outLinkId auth + member-bound cache key; return OpenAPI-typed response. |
| projects/app/src/pages/api/support/outLink/wechat/logout.ts | Switch logout to outLinkId auth + channel-type assertion; align response with OpenAPI schema. |
| projects/app/src/pageComponents/app/detail/Publish/Wechat/QRLoginModal.tsx | Update QR login modal to call new outLinkId-based APIs and adjust hooks usage. |
| projects/app/src/pageComponents/app/detail/Publish/Wechat/index.tsx | Update publish-channel UI to pass outLinkId instead of shareId for login/logout. |
| packages/service/test/core/workflow/dispatch/tools/http.test.ts | Update workflow HTTP-node tests to assert __safeAxios TLS option instead of injecting an agent. |
| packages/service/test/common/api/axios.test.ts | Add DNS pinning test coverage for direct requests, redirects, and proxy-path behavior. |
| packages/service/support/outLink/wechat/utils.ts | Add assertWechatOutLink to enforce WeChat channel type boundary on WeChat endpoints. |
| packages/service/support/outLink/wechat/qrcode.ts | Centralize QR cache key generation: publish:wechat:qrcode:${outLinkId}:${tmbId}. |
| packages/service/support/outLink/wechat/mq.ts | Add more logging around poll scheduling/execution and cleanup old jobs on restart. |
| packages/service/support/outLink/wechat/ilinkClient.ts | Improve fetch error formatting and remove manual Content-Length header handling. |
| packages/service/core/workflow/dispatch/tools/http468.ts | Emit __safeAxios TLS option for HTTP node’s ignore-certificate setting. |
| packages/service/common/system/utils.ts | Re-export isInternalResolvedIP for post-DNS-resolution checks. |
| packages/service/common/api/axios.ts | Implement DNS pinning for direct requests, preserve proxy behavior, and add __safeAxios request options. |
| packages/global/openapi/support/outLink/index.ts | Register OpenAPI paths/schemas for WeChat QR generate/status and logout APIs. |
| packages/global/openapi/support/outLink/api.ts | Add OpenAPI zod schemas/types for WeChat QR generate/status and logout APIs. |
| document/data/doc-last-modified.json | Update doc modified timestamps for new/changed docs. |
| document/content/toc.mdx | Add new upgrade pages to Chinese TOC. |
| document/content/toc.en.mdx | Add new upgrade pages to English TOC. |
| document/content/self-host/upgrading/4-15/meta.json | Include 4.15.2 page in Chinese upgrade meta. |
| document/content/self-host/upgrading/4-15/meta.en.json | Include 4.15.2 page in English upgrade meta. |
| document/content/self-host/upgrading/4-15/4152.mdx | Add 4.15.2 (in progress) release notes page (CN). |
| document/content/self-host/upgrading/4-15/4151.mdx | Mark 4.15.1 as no longer “in progress” (CN). |
| document/content/self-host/upgrading/4-15/4151.en.mdx | Mark 4.15.1 as no longer “in progress” (EN). |
| document/content/self-host/upgrading/4-14/meta.json | Include 4.14.28/4.14.29 pages in Chinese upgrade meta. |
| document/content/self-host/upgrading/4-14/meta.en.json | Include 4.14.28/4.14.29 pages in English upgrade meta. |
| document/content/self-host/upgrading/4-14/41429.mdx | Add 4.14.29 release notes page (CN). |
| document/content/self-host/upgrading/4-14/41429.en.mdx | Add 4.14.29 release notes page (EN). |
| document/content/self-host/upgrading/4-14/41428.mdx | Add 4.14.28 release notes page (CN). |
| document/content/self-host/upgrading/4-14/41428.en.mdx | Add 4.14.28 release notes page (EN). |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| const isRequestUsingProxy = (requestUrl: string, config: AxiosRequestConfig): boolean => { | ||
| if (config.proxy) { | ||
| return true; | ||
| } | ||
|
|
||
| try { | ||
| return getProxyForUrl(requestUrl).length > 0; | ||
| } catch { | ||
| // 代理判断失败时按可能走代理处理,避免误覆盖代理配置。 | ||
| return true; | ||
| } | ||
| }; |
| logger.debug('Wechat poll job scheduled', { | ||
| shareId, | ||
| jobId: job.id, | ||
| delayMs, | ||
| jobState: await job.getState().catch(() => undefined) | ||
| }); |
|
✅ Admin Preview Image Ready! 🕒 Time: 2026-07-06 22:19:25 (UTC+8) |
|
✅ Build Successful - Preview fastgpt Image for this PR: 🕒 Time: 2026-07-06 18:11:15 (UTC+8) |
|
✅ Docs Preview Deployed! 🔗 👀 Click here to visit preview 🕒 Time: 2026-07-06 22:16:53 (UTC+8) |
Summary
Tests