MCPcopy Index your code
hub / github.com/simstudioai/sim / assertConnectIpAllowed

Function assertConnectIpAllowed

apps/sim/app/api/tools/onepassword/utils.ts:263–282  ·  view source on GitHub ↗

* Enforces the SSRF policy for a resolved Connect server IP. * * On the hosted service, all private and reserved IPs are blocked — a tenant has * no legitimate reason to point Connect at the platform's internal network. On * self-hosted deployments only link-local (cloud metadata) is blocked, si

(ip: string, hostname: string)

Source from the content-addressed store, hash-verified

261 * @throws Error if the IP is not permitted under the active policy.
262 */
263function assertConnectIpAllowed(ip: string, hostname: string): void {
264 if (isHosted) {
265 if (isPrivateOrReservedIP(ip)) {
266 connectLogger.warn('1Password Connect server URL resolves to a private or reserved IP', {
267 hostname,
268 resolvedIP: ip,
269 })
270 throw new Error('1Password server URL cannot point to a private or reserved IP address')
271 }
272 return
273 }
274
275 if (ipaddr.isValid(ip) && ipaddr.process(ip).range() === 'linkLocal') {
276 connectLogger.warn('1Password Connect server URL resolves to a link-local IP', {
277 hostname,
278 resolvedIP: ip,
279 })
280 throw new Error('1Password server URL cannot point to a link-local address')
281 }
282}
283
284/**
285 * Validates a Connect server URL against the SSRF policy and returns the resolved

Callers 1

validateConnectServerUrlFunction · 0.85

Calls 2

isPrivateOrReservedIPFunction · 0.90
warnMethod · 0.65

Tested by

no test coverage detected