Jump to content

Connect SuperML | Leeroopedia MCP: Equip your AI agents with best practices, code verification, and debugging knowledge. Powered by Leeroo — building Organizational Superintelligence. Contact us at founders@leeroo.com.

Principle:Langgenius Dify SSRFPrevention

From Leeroopedia
Knowledge Sources Dify
Domains Frontend, Security
Last Updated 2026-02-12 07:00 GMT

Overview

Dify implements Server-Side Request Forgery (SSRF) prevention through URL validation utilities that detect and flag private IP ranges, localhost addresses, and link-local domains before URLs are used in requests.

Description

The utils/urlValidation.ts module provides the isPrivateOrLocalAddress function, which classifies URLs based on their network address to prevent SSRF attacks. The function parses the URL's hostname and checks it against a comprehensive set of private and local network indicators: localhost and its IP equivalents (127.0.0.1, ::1), RFC 1918 private IPv4 ranges (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16), link-local addresses (169.254.0.0/16), and .local domain suffixes.

SSRF attacks exploit server-side URL fetching to access internal network resources that should not be reachable from the public internet. In Dify's context, users configure external data sources, API endpoints, webhook URLs, and tool endpoints that the platform subsequently fetches. Without validation, a malicious user could supply a URL pointing to internal infrastructure (e.g., http://169.254.169.254/latest/meta-data/ for cloud metadata services, or http://10.0.0.1/admin for internal admin panels). The isPrivateOrLocalAddress function provides the frontend layer of defense by flagging these addresses before submission.

The function also supports cloud debug URL detection for development environments, recognizing that some private addresses are legitimately used during local development. The validation is implemented as a pure function that returns a boolean, making it composable with other validation logic and testable in isolation. This frontend validation works in concert with backend SSRF protections to provide defense-in-depth.

Usage

Use this principle when:

  • Validating user-supplied URLs for webhooks, API endpoints, data sources, or tool configurations
  • Adding new URL input fields that will trigger server-side fetches
  • Implementing allow-list or deny-list logic for network address classification

Theoretical Basis

This implements Defense in Depth by adding URL validation at the frontend layer in addition to backend protections. The private IP range detection follows the Deny-by-Default security principle, where known-dangerous address ranges are explicitly blocked. The comprehensive coverage of RFC 1918 ranges, link-local addresses, and localhost variants follows OWASP's SSRF prevention guidelines, which recommend validating both the protocol and the network address of user-supplied URLs.

Related Pages

Page Connections

Double-click a node to navigate. Hold to expand connections.
Principle
Implementation
Heuristic
Environment
Retrieved from "https://leeroopedia.com/index.php?title=Principle:Langgenius_Dify_SSRFPrevention&oldid=21672"