SafeURL-Python's hostname blocklist does not block FQDNs
Low severity
GitHub Reviewed
Published
Jun 23, 2023
in
IncludeSecurity/safeurl-python
•
Updated Jun 29, 2023
Description
Published to the GitHub Advisory Database
Jun 29, 2023
Reviewed
Jun 29, 2023
Last updated
Jun 29, 2023
Description
If a hostname was blacklisted, it was possible to bypass the blacklist by requesting the FQDN of the host (e.g. adding
.
to the end).Impact
The main purpose of this library is to block requests to internal/private IPs and these cannot be bypassed using this finding. But if a library user had specifically set certain hostnames as blocked, then an attacker would be able to circumvent that block to cause SSRFs to request those hostnames.
Patches
Fixed by IncludeSecurity/safeurl-python#6
Credit
https://github.com/Sim4n6
References