fix(web-tools): exempt fake-IP DNS ranges from trusted/self-hosted SSRF policy

Chris Zhang · Chris Zhang · commit 15a5aae6815d · 2026-05-03T15:24:46.000+08:00
The trusted-endpoint helper used by Tavily / Brave / Exa / hosted Firecrawl search providers passes a policy of `{}` to fetchWithSsrFGuard. On fake-IP proxy setups (sing-box / Clash / Surge), every public domain resolves to the 198.18.0.0/15 RFC 2544 benchmark range or fc00::/7 IPv6 ULA, which is unconditionally blocked unless the policy opts in. Apply the same opt-in that #74571 added to the public `tools.web.fetch` config to the hardcoded trusted/self-hosted web-tool policies: WEB_TOOLS_TRUSTED_NETWORK_SSRF_POLICY: + allowRfc2544BenchmarkRange: true + allowIpv6UniqueLocalRange: true WEB_TOOLS_SELF_HOSTED_NETWORK_SSRF_POLICY: + allowIpv6UniqueLocalRange: true (companion to the existing allowRfc2544BenchmarkRange entry) Real-world impact: `api.tavily.com` (and every other trusted-endpoint provider) currently fails with "Blocked: resolves to private/internal/ special-use IP address" on every fake-IP proxy user, even when they have `tools.web.fetch.ssrfPolicy.allowRfc2544BenchmarkRange: true` configured. The trusted endpoint path doesn't read user config; it uses the hardcoded policy above. Refs #74351 (the original fake-IP IPv6 ULA report). The user-facing `tools.web.fetch` path was fixed in #74571; this commit covers the parallel trusted-endpoint path that #74571 didn't touch. Open question for maintainers (not blocking this fix): the same fake-IP exemption is currently impossible to configure for `browser.ssrfPolicy` and `models.providers.*.request` — both schemas reject `allowRfc2544BenchmarkRange` and `allowIpv6UniqueLocalRange`. Should those schemas be extended to mirror `tools.web.fetch.ssrfPolicy`, or is the deliberate design that browser navigation and provider HTTP must rely on `dangerouslyAllowPrivateNetwork` plus DNS-level fake-IP exemptions outside OpenClaw? Happy to follow up separately if the schema extension is desired.
diff --git a/src/agents/tools/web-guarded-fetch.ts b/src/agents/tools/web-guarded-fetch.ts
@@ -7,10 +7,24 @@ import {
 } from "../../infra/net/fetch-guard.js";
 import type { SsrFPolicy } from "../../infra/net/ssrf.js";
 
-const WEB_TOOLS_TRUSTED_NETWORK_SSRF_POLICY: SsrFPolicy = {};
+// Allow fake-IP DNS proxy ranges (RFC 2544 benchmark 198.18.0.0/15 and IPv6
+// ULA fc00::/7) so trusted public web-tool endpoints (Tavily, Brave, Exa,
+// hosted Firecrawl, etc.) work behind sing-box / Clash / Surge fake-IP
+// setups. The trusted path still rejects RFC1918 private networks, link-
+// local, loopback, and cloud-metadata hostnames — only the fake-IP-only
+// special-use ranges are exempted, matching how the public web_fetch policy
+// was extended in #74571. Without this, every web-search provider that
+// routes through the same trusted-endpoint helper still fails with "Blocked:
+// resolves to private/internal/special-use IP address" for every foreign
+// domain on a fake-IP proxy.
+const WEB_TOOLS_TRUSTED_NETWORK_SSRF_POLICY: SsrFPolicy = {
+  allowRfc2544BenchmarkRange: true,
+  allowIpv6UniqueLocalRange: true,
+};
 const WEB_TOOLS_SELF_HOSTED_NETWORK_SSRF_POLICY: SsrFPolicy = {
   dangerouslyAllowPrivateNetwork: true,
   allowRfc2544BenchmarkRange: true,
+  allowIpv6UniqueLocalRange: true,
 };
 
 type WebToolGuardedFetchOptions = Omit<
