js · nocodbHeads-up
nocodb: SSRF protection hardening in spreadsheet-fetch endpoint
The spreadsheet-fetch endpoint now anchors extension matching to the end of the path or before query string, and replaces the hand-rolled IP blocklist with useA
What changed
The spreadsheet-fetch endpoint now anchors extension matching to the end of the path or before query string, and replaces the hand-rolled IP blocklist with useAgent(url) from request-filtering-agent to block private and loopback ranges at the socket layer.
Who it affects
Authenticated users with editor permission on affected NocoDB installs.
What to do today
Update NocoDB to the latest version that includes this fix.
The trail
Collected→
Audited→
Written→
Published
Source
GitHub Advisory · nocodb