fix: prevent accessing local url

packages/nocodb-sdk/src/lib/error-handler/nc-error-base.ts

@@ -559,8 +559,7 @@ export class NcErrorBase {
     }
     if (!message || message === '') {
       // generic error message to prevent programmatic error to propagate to UI
-      message =
-        'Error when executing query in external data source, please contact administration to solve this issue';
+      message = 'Error when executing query in external data source';
     }
     throw this.errorCodex.generateError(
       NcErrorType.ERR_IN_EXTERNAL_DATA_SOURCE,

packages/nocodb/src/services/v3/data-attachment-v3.service.ts

@@ -5,6 +5,7 @@ import axios from 'axios';
 import { nanoid } from 'nanoid';
 import { AuditV1OperationTypes, EventType, ncIsNull } from 'nocodb-sdk';
 import slash from 'slash';
+import { useAgent } from 'request-filtering-agent';
 import type { DataUpdatePayload, NcContext } from 'nocodb-sdk';
 import type { AttachmentFilePathConstructed } from '~/helpers/attachmentHelpers';
 import type {
@@ -303,7 +304,7 @@ export class DataAttachmentV3Service {
       .update({
         [column.column_name]: JSON.stringify(updatedAttachments),
       })
-      .where(await _wherePk(baseModel.model.primaryKeys, recordId, true));
+      .where(_wherePk(baseModel.model.primaryKeys, recordId, true));
 
     if (generateThumbnailAttachments.length > 0) {
       await this.jobsService.add(JobTypes.ThumbnailGenerator, {
@@ -376,6 +377,12 @@ export class DataAttachmentV3Service {
       responseType: 'stream',
       maxRedirects: NC_ATTACHMENT_URL_MAX_REDIRECT,
       maxContentLength: NC_ATTACHMENT_FIELD_SIZE,
+      httpAgent: useAgent(url, {
+        stopPortScanningByUrlRedirection: true,
+      }),
+      httpsAgent: useAgent(url, {
+        stopPortScanningByUrlRedirection: true,
+      }),
     });
 
     // Extract file information from response headers