Morph MORPH
SIGN IN SIGN UP
appsmithorg / appsmith UNCLAIMED

Platform to build admin panels, internal tools, and dashboards. Integrates with 25+ databases and any API.

0 0 68 TypeScript

fix(security): apply full non-routable IP-class filter on WebClient (GHSA-v49v-673j-g4vj, GHSA-m23h-pvf3-2m7p) (#41849)

## Summary

Extend the `WebClientUtils` host filter (REST API / GraphQL / OAuth2
plugin paths) to reject the same set of non-routable IP address classes
that the SMTP code path already rejects via `resolveIfAllowed`: loopback
(`127.0.0.0/8`, `::1`), any-local (`0.0.0.0`, `::`), link-local
(`169.254.0.0/16`, `fe80::/10`), multicast, and IPv6 Unique Local
Addresses (`fc00::/7`). RFC 1918 site-local ranges remain allowed (same
intentional exception as `resolveIfAllowed`).

Addresses:
-
[GHSA-v49v-673j-g4vj](https://github.com/appsmithorg/appsmith/security/advisories/GHSA-v49v-673j-g4vj)
-
[GHSA-m23h-pvf3-2m7p](https://github.com/appsmithorg/appsmith/security/advisories/GHSA-m23h-pvf3-2m7p)

## Approach

`requestFilterFn` and `isDisallowedAndFail` now `OR` an additional check
against the existing exact-match `DISALLOWED_HOSTS` lookup: an
IP-literal helper that returns true when
`InetAddress.isLoopbackAddress()`, `isAnyLocalAddress()`,
`isLinkLocalAddress()`, or `isMulticastAddress()` is true, or when the
address is IPv6 in the `fc00::/7` ULA range. The existing
canonicalization (IPv4-mapped IPv6 literals normalized to IPv4) handles
literal variants.

## Test plan

- [x] `mvn -pl appsmith-interfaces test -Dtest=WebClientUtilsTest`
(48/48, +24 parameterized cases over `isBlockedIpAddressClass`).
- [x] `mvn -pl appsmith-interfaces spotless:check` clean.
- [x] Validated end-to-end on a deploy preview: REST API requests to
literals in the blocked classes return `Host not allowed` rather than
attempting the outbound connection. RFC 1918 and external hosts continue
to work.

🤖 Generated with [Claude Code](https://claude.com/claude-code)

<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit

* **Bug Fixes**
* Strengthened outbound request validation for Docker deployments:
expanded blocking to additional non-routable and special IP classes
(loopback, any-local, link-local, multicast and IPv6 unique local
ranges) to prevent connections to disallowed addresses.

* **Tests**
* Added parameterized tests covering the expanded IP blocking logic,
validating recognition of blocked address classes and ensuring other
hosts remain allowed.

<!-- review_stack_entry_start -->

[![Review Change
Stack](https://storage.googleapis.com/coderabbit_public_assets/review-stack-in-coderabbit-ui.svg)](https://app.coderabbit.ai/change-stack/appsmithorg/appsmith/pull/41849?utm_source=github_walkthrough&utm_medium=github&utm_campaign=change_stack)

<!-- review_stack_entry_end -->
<!-- end of auto-generated comment: release notes by coderabbit.ai -->

<!-- This is an auto-generated comment: Cypress test results  -->
> [!TIP]
> 🟢 🟢 🟢 All cypress tests have passed! 🎉 🎉 🎉
> Workflow run:
<https://github.com/appsmithorg/appsmith/actions/runs/26515121230>
> Commit: 7c75fbad86a6bcaf34367e9f4cb657d9982864e4
> <a
href="https://internal.appsmith.com/app/cypress-dashboard/rundetails-65890b3c81d7400d08fa9ee5?branch=master&workflowId=26515121230&attempt=2"
target="_blank">Cypress dashboard</a>.
> Tags: `@tag.All`
> Spec:
> <hr>Wed, 27 May 2026 15:22:15 UTC
<!-- end of auto-generated comment: Cypress test results  -->


## Automation
/ok-to-test tags="@tag.All"

---------

Co-authored-by: Claude Opus 4.7 <noreply@anthropic.com>
W
Wyatt Walter committed
ea454889d69fefe887c95ad5978f23cfd1bc96a3
Parent: 26fc85e
Committed by GitHub <noreply@github.com> on 5/27/2026, 4:06:50 PM