fix: allow private OpenAI image endpoints

2026-05-06 19:00:45 +00:00 · 2026-04-24 00:35:47 +01:00
parent 5be5233250
commit d16b879334
5 changed files with 54 additions and 0 deletions
--- a/extensions/openai/image-generation-provider.test.ts
+++ b/extensions/openai/image-generation-provider.test.ts
@@ -316,6 +316,47 @@ describe("openai image generation provider", () => {
    expect(result.images).toHaveLength(1);
  });

+  it("allows OpenAI-compatible private image endpoints when browser SSRF policy opts in", async () => {
+    mockGeneratedPngResponse();
+
+    const provider = buildOpenAIImageGenerationProvider();
+    const result = await provider.generateImage({
+      provider: "openai",
+      model: "flux2-klein",
+      prompt: "A simple, clean illustration of a red apple with a green leaf",
+      cfg: {
+        browser: {
+          ssrfPolicy: {
+            dangerouslyAllowPrivateNetwork: true,
+          },
+        },
+        models: {
+          providers: {
+            openai: {
+              baseUrl: "http://192.168.1.15:8082/v1",
+              apiKey: "local-noauth",
+              models: [],
+            },
+          },
+        },
+      },
+    });
+
+    expect(resolveProviderHttpRequestConfigMock).toHaveBeenCalledWith(
+      expect.objectContaining({
+        baseUrl: "http://192.168.1.15:8082/v1",
+        allowPrivateNetwork: true,
+      }),
+    );
+    expect(postJsonRequestMock).toHaveBeenCalledWith(
+      expect.objectContaining({
+        url: "http://192.168.1.15:8082/v1/images/generations",
+        allowPrivateNetwork: true,
+      }),
+    );
+    expect(result.images).toHaveLength(1);
+  });
+
  it("forwards generation count and custom size overrides", async () => {
    mockGeneratedPngResponse();

--- a/extensions/openai/image-generation-provider.ts
+++ b/extensions/openai/image-generation-provider.ts
@@ -21,6 +21,7 @@ import {
  resolveProviderHttpRequestConfig,
  sanitizeConfiguredModelProviderRequest,
 } from "openclaw/plugin-sdk/provider-http";
+import { isPrivateNetworkOptInEnabled } from "openclaw/plugin-sdk/ssrf-runtime";
 import { OPENAI_DEFAULT_IMAGE_MODEL as DEFAULT_OPENAI_IMAGE_MODEL } from "./default-models.js";
 import { resolveConfiguredOpenAIBaseUrl } from "./shared.js";

@@ -190,6 +191,9 @@ function shouldAllowPrivateImageEndpoint(req: {
  if (req.provider === MOCK_OPENAI_PROVIDER_ID) {
    return true;
  }
+  if (isPrivateNetworkOptInEnabled(req.cfg?.browser?.ssrfPolicy)) {
+    return true;
+  }
  const baseUrl = resolveConfiguredOpenAIBaseUrl(req.cfg);
  if (!baseUrl.startsWith("http://127.0.0.1:") && !baseUrl.startsWith("http://localhost:")) {
    return false;