You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: .jules/sentinel.md
+8Lines changed: 8 additions & 0 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -42,6 +42,14 @@
42
42
43
43
## 2025-01-24 - [SSRF via DNS Resolution]
44
44
**Vulnerability:** The `validate_folder_url` function blocked private IP literals but failed to resolve domain names to check their underlying IPs. An attacker could use a domain (e.g., `local.test`) that resolves to a private IP (e.g., `127.0.0.1`) to bypass the SSRF protection and access internal services.
45
+
**Learning:** Blocking IP literals is insufficient for SSRF protection. DNS resolution must be performed to verify that a domain does not resolve to a restricted IP address. Additionally, comprehensive checks are needed for all dangerous IP ranges (private, loopback, link-local, reserved, multicast).
46
+
**Prevention:**
47
+
1. Resolve domain names using `socket.getaddrinfo` before making requests.
48
+
2. Verify all resolved IP addresses against private/loopback/link-local/reserved/multicast ranges.
49
+
3. Handle DNS resolution failures securely (fail-closed), catching both `socket.gaierror` and `OSError`.
50
+
4. Strip IPv6 zone identifiers before IP validation.
51
+
**Known Limitations:**
52
+
- DNS rebinding attacks (TOCTOU): An attacker's DNS server could return a safe IP during validation and a private IP during the actual request. This is a fundamental limitation of DNS-based SSRF protection.
45
53
**Learning:** Blocking IP literals is insufficient for SSRF protection. DNS resolution must be performed to verify that a domain does not resolve to a restricted IP address. Note that check-time validation has TOCTOU limitations vs request-time verification.
46
54
**Prevention:**
47
55
1. Resolve domain names using `socket.getaddrinfo` before making requests.
0 commit comments