π‘οΈ Sentinel: [HIGH] Fix SSRF bypass via SIIT (IPv4-translated) addresses#78
Conversation
π¨ Severity: HIGH π‘ Vulnerability: Python's `ipaddress` module evaluates SIIT (IPv4-translated) addresses (e.g., `::ffff:0:a.b.c.d`) as `is_global = True` and does not expose them via the `ipv4_mapped` property. This allows an attacker to bypass standard SSRF filters by embedding loopback or private IPv4 addresses within the SIIT IPv6 structure, which the host OS network stack may then natively unwrap and route. π― Impact: Attackers could bypass SSRF protections to scan or interact with internal/private IPs and the loopback interface on the host machine. π§ Fix: Updated the manual IPv6 unpacking block in `testping1.py` to identify the SIIT prefix by checking if the high 96 bits equal `0xffff0000` (`ip_int >> 32 == 0xffff0000`). When matched, the embedded 32-bit IPv4 address is extracted and correctly subjected to the SSRF blocklist validation. β Verification: Added a test case `test_is_reachable_ssrf_bypass_siit` that ensures `::ffff:0:127.0.0.1` and `::ffff:0:192.168.1.1` are correctly rejected. Verified by running the test suite (`python3 -m unittest test_testping1.py`). Co-authored-by: ManupaKDU <95234271+ManupaKDU@users.noreply.github.com>
|
π Jules, reporting for duty! I'm here to lend a hand with this pull request. When you start a review, I'll add a π emoji to each comment to let you know I've read it. I'll focus on feedback directed at me and will do my best to stay out of conversations between you and other bots or reviewers to keep the noise down. I'll push a commit with your requested changes shortly after. Please note there might be a delay between these steps, but rest assured I'm on the job! For more direct control, you can switch me to Reactive Mode. When this mode is on, I will only act on comments where you specifically mention me with New to Jules? Learn more at jules.google/docs. For security, I will only act on instructions from the user who triggered this task. |
2 participants
π‘οΈ Sentinel: [HIGH] Fix SSRF bypass via SIIT (IPv4-translated) addresses
π¨ Severity: HIGH
π‘ Vulnerability: Python's
ipaddressmodule evaluates SIIT (IPv4-translated) addresses (e.g.,::ffff:0:a.b.c.d) asis_global = Trueand does not expose them via theipv4_mappedproperty. This allows an attacker to bypass standard SSRF filters by embedding loopback or private IPv4 addresses within the SIIT IPv6 structure, which the host OS network stack may then natively unwrap and route.π― Impact: Attackers could bypass SSRF protections to scan or interact with internal/private IPs and the loopback interface on the host machine.
π§ Fix: Updated the manual IPv6 unpacking block in
testping1.pyto identify the SIIT prefix by checking if the high 96 bits equal0xffff0000(ip_int >> 32 == 0xffff0000). When matched, the embedded 32-bit IPv4 address is extracted and correctly subjected to the SSRF blocklist validation.β Verification: Added a test case
test_is_reachable_ssrf_bypass_siitthat ensures::ffff:0:127.0.0.1and::ffff:0:192.168.1.1are correctly rejected. Verified by running the test suite (python3 -m unittest test_testping1.py).PR created automatically by Jules for task 12756634130325821454 started by @ManupaKDU