From 4ab30bcc1d444f16530dc0d14fe035a034674192 Mon Sep 17 00:00:00 2001
From: Chris <christian@haschek.at>
Date: Tue, 21 Apr 2026 12:26:54 +0200
Subject: [PATCH] feat: opt-in SSRF protection via BLOCK_PRIVATE_IPS env var

---
 web/index.php | 19 +++++++++++++++++++
 1 file changed, 19 insertions(+)

diff --git a/web/index.php b/web/index.php
index fca2268..fde41d2 100755
--- a/web/index.php
+++ b/web/index.php
@@ -57,6 +57,25 @@ switch ($url[0]) {
 
         $js = $_REQUEST['js'] == 'false' ? false : true;
 
+        if (defined('BLOCK_PRIVATE_IPS') && BLOCK_PRIVATE_IPS) {
+            $host = parse_url($target, PHP_URL_HOST);
+            if (filter_var($host, FILTER_VALIDATE_IP)) {
+                $resolvedIp = $host;
+            } else {
+                $resolvedIp = gethostbyname($host);
+                if ($resolvedIp === $host) {
+                    header('HTTP/1.0 403 Forbidden');
+                    echo 'URL not allowed';
+                    exit;
+                }
+            }
+            if (isPrivateIP($resolvedIp)) {
+                header('HTTP/1.0 403 Forbidden');
+                echo 'URL not allowed';
+                exit;
+            }
+        }
+
         $serverUrl = 'http://localhost:4444';
         $options = new \Facebook\WebDriver\Chrome\ChromeOptions();
         $options->addArguments(['--headless', '--disable-gpu', '--no-sandbox', '--disable-dev-shm-usage']);