We are publishing a notice today to bring to attention an unintentional breaking change that could affect some users of NodeBB.
v4.5.0 contained an update to src/request.js that calls a DNS resolver to ensure that the destination address is not a reserved IP address (e.g. 192.168..., 127.0..)
This change was introduced in order to close off any potential for Server-Side Request Forgery for any calls made within the NodeBB codebase.
In the vast majority of installations, this has no unintended effects. In some installations, custom plugins or themes may call URLs that resolve to an internal address on purpose (e.g. to query an internal database or similar.) In those situations, the call will now fail as of v4.5.0.
In those situations, you will need to update the plugin to add the domain to the allow list by calling the filter:request.init hook:
plugin.json
{
...
"hooks": [
...
{ "hook": "filter:request.init", "method": "allowInternalHostname" },
...
]
...
}
library.js or similar
const plugin = module.exports;
plugin.allowInternalHostname = async ({ allowed }) => {
allowed.add('example.org');
return { allowed };
});
