Security fixes

plugins/headers.py

@@ -9,6 +9,8 @@ from urllib.parse import urlparse
 import ssl
 import socket
 
+from plugins.utils import is_public_destination
+
 async def handle_command(room, message, bot, prefix, config):
     """
     Function to handle !headers command for HTTP security header analysis.
@@ -39,6 +41,14 @@ async def handle_command(room, message, bot, prefix, config):
         if not url.startswith(('http://', 'https://')):
             url = 'https://' + url
 
+        # SSRF protection: refuse internal hosts
+        parsed = urlparse(url)
+        host = parsed.hostname
+        if not is_public_destination(host):
+            await bot.api.send_text_message(room.room_id,
+                "❌ Scanning of private/internal addresses is not allowed.")
+            return
+
         await analyze_headers(room, bot, url)
 
 async def show_usage(room, bot):
@@ -391,7 +401,7 @@ async def format_header_analysis(results):
 # Plugin Metadata
 # ---------------------------------------------------------------------------
 
-__version__ = "1.0.0"
+__version__ = "1.0.1"
 __author__ = "Funguy Bot"
 __description__ = "HTTP security header analysis"
 __help__ = """