Notice: Breaking change in v4.5.0 (requests to internal IP addresses disallowed)
-
We are publishing a notice today to bring to attention an unintentional breaking change that could affect some users of NodeBB.
v4.5.0 contained an update to
src/request.jsthat calls a DNS resolver to ensure that the destination address is not a reserved IP address (e.g.192.168...,127.0..)This change was introduced in order to close off any potential for Server-Side Request Forgery for any calls made within the NodeBB codebase.
In the vast majority of installations, this has no unintended effects. In some installations, custom plugins or themes may call URLs that resolve to an internal address on purpose (e.g. to query an internal database or similar.) In those situations, the call will now fail as of v4.5.0.
In those situations, you will need to update the plugin to add the domain to the allow list by calling the
filter:request.inithook:plugin.json
{ ... "hooks": [ ... { "hook": "filter:request.init", "method": "allowInternalHostname" }, ... ] ... }library.js or similar
const plugin = module.exports; plugin.allowInternalHostname = async ({ allowed }) => { allowed.add('example.org'); return { allowed }; });
Hello! It looks like you're interested in this conversation, but you don't have an account yet.
Getting fed up of having to scroll through the same posts each visit? When you register for an account, you'll always come back to exactly where you were before, and choose to be notified of new replies (either via email, or push notification). You'll also be able to save bookmarks and upvote posts to show your appreciation to other community members.
With your input, this post could be even better 💗
Register Login