Skip to content
This repository has been archived by the owner on Aug 29, 2024. It is now read-only.

Hostname blocklist does not block FQDNs

Low
includesec-ltennant published GHSA-373w-rj84-pv6x Jun 23, 2023

Package

pip safeurl (pip)

Affected versions

<1.3

Patched versions

1.3

Description

Description

If a hostname was blacklisted, it was possible to bypass the blacklist by requesting the FQDN of the host (e.g. adding . to the end).

Impact

The main purpose of this library is to block requests to internal/private IPs and these cannot be bypassed using this finding. But if a library user had specifically set certain hostnames as blocked, then an attacker would be able to circumvent that block to cause SSRFs to request those hostnames.

Patches

Fixed by #6

Credit

https://github.com/Sim4n6

Severity

Low

CVE ID

No known CVE

Weaknesses

No CWEs