π‘οΈ Sentinel: [HIGH] Fix SSRF Bypass via Local-Use IPv4/IPv6 Translation addresses#85
π‘οΈ Sentinel: [HIGH] Fix SSRF Bypass via Local-Use IPv4/IPv6 Translation addresses#85ManupaKDU wants to merge 1 commit into
Conversation
β¦on addresses (RFC 8215) Identified and fixed a Server-Side Request Forgery (SSRF) bypass vulnerability. Python's `ipaddress` module does not natively unwrap the embedded IPv4 addresses in Local-Use IPv4/IPv6 Translation formats (RFC 8215, 64:ff9b:1::/96). Similar to NAT64, it evaluates these addresses as `is_global = False` but `is_private = True`, which can lead to a bypass if only an `is_global` check is used or if unwrapping logic is missing, allowing attackers to ping internal IP addresses (e.g., 64:ff9b:1::192.168.1.1). This patch manually unwraps the embedded IPv4 address for the RFC 8215 prefix by verifying the high 96 bits (`ip_int >> 32 == 0x0064ff9b0001000000000000`) and extracting the underlying 32-bit IPv4 address using bitwise operations (`ip_int & 0xFFFFFFFF`) to evaluate it against the standard SSRF rules. Tests were updated and verified to pass, along with a documented journal entry for future context. Co-authored-by: ManupaKDU <95234271+ManupaKDU@users.noreply.github.com>
|
π Jules, reporting for duty! I'm here to lend a hand with this pull request. When you start a review, I'll add a π emoji to each comment to let you know I've read it. I'll focus on feedback directed at me and will do my best to stay out of conversations between you and other bots or reviewers to keep the noise down. I'll push a commit with your requested changes shortly after. Please note there might be a delay between these steps, but rest assured I'm on the job! For more direct control, you can switch me to Reactive Mode. When this mode is on, I will only act on comments where you specifically mention me with New to Jules? Learn more at jules.google/docs. For security, I will only act on instructions from the user who triggered this task. |
manupawickramasinghe
deleted the
sentinel-fix-ssrf-rfc8215-8056694045426855696
branch
2 participants
π¨ Severity: HIGH
π‘ Vulnerability: Server-Side Request Forgery (SSRF) bypass allowing attackers to ping internal IP addresses by wrapping them in Local-Use IPv4/IPv6 Translation formats (RFC 8215, 64:ff9b:1::/96). Python's
ipaddressmodule does not natively unwrap these embedded IPv4 addresses.π― Impact: Attackers could bypass SSRF filters and scan/ping internal or private infrastructure by tunneling malicious IPv4 addresses within RFC 8215 translation addresses.
π§ Fix: Updated the SSRF blocklist logic in
is_reachableto manually unwrap the embedded IPv4 payload for the RFC 8215 prefix (0x0064ff9b0001000000000000) using bitwise operations and re-evaluating the underlying IPv4 address against the SSRF rules. Expanded the unit tests to explicitly cover RFC 8215 address unwrapping and SSRF prevention.β Verification: Ensure tests pass locally by running
python3 -m unittest test_testping1.py.PR created automatically by Jules for task 8056694045426855696 started by @ManupaKDU