SSRF prevention: filter private IPs from untrusted relay URLs #234
Description
When relay URLs come from external/untrusted sources (e.g. group credentials, NIP-46 bunker URIs from QR codes), they could point to internal network services. A malicious relay URL like wss://192.168.1.1:8080 or wss://127.0.0.1:9090 would cause the app to connect to internal services, leaking information or enabling SSRF.
Scope:
- Filter private/reserved IP ranges from relay URLs that originate from untrusted sources:
- Loopback:
127.0.0.0/8,::1 - Private:
10.0.0.0/8,172.16.0.0/12,192.168.0.0/16 - Link-local:
169.254.0.0/16
- Loopback:
- User-configured relays should NOT be filtered (user's explicit choice)
- Auto-upgrade
ws://towss://for untrusted sources, or reject plaintext
Affected code paths:
keep-frost-net: relay connection setupkeep-desktop: bunker URI parsing, group relay listskeep-mobile: same paths via UniFFI
Notes:
- Complements TLS certificate pinning (TLS certificate pinning (desktop) #201) as a separate defense layer
- Cert pinning protects against MITM on legitimate relays; this protects against malicious relay URLs targeting internal services