π‘οΈ Sentinel: [CRITICAL/HIGH] Fix SSRF bypass via ISATAP IPv6 addresses#73
π‘οΈ Sentinel: [CRITICAL/HIGH] Fix SSRF bypass via ISATAP IPv6 addresses#73ManupaKDU wants to merge 1 commit into
Conversation
Added a check in the SSRF blocking logic to identify ISATAP addresses (where the 32 bits before the IPv4 address are 0x00005efe or 0x02005efe), manually unwrap the encapsulated IPv4 address, and validate it against the blocklist (e.g. rejecting loopback, private, etc.). Python's ipaddress module evaluates these addresses as is_global = True and does not natively unwrap them. Included a corresponding test suite check. Co-authored-by: ManupaKDU <95234271+ManupaKDU@users.noreply.github.com>
|
π Jules, reporting for duty! I'm here to lend a hand with this pull request. When you start a review, I'll add a π emoji to each comment to let you know I've read it. I'll focus on feedback directed at me and will do my best to stay out of conversations between you and other bots or reviewers to keep the noise down. I'll push a commit with your requested changes shortly after. Please note there might be a delay between these steps, but rest assured I'm on the job! For more direct control, you can switch me to Reactive Mode. When this mode is on, I will only act on comments where you specifically mention me with New to Jules? Learn more at jules.google/docs. For security, I will only act on instructions from the user who triggered this task. |
1 participant
π¨ Severity: HIGH
π‘ Vulnerability: The application was vulnerable to an SSRF bypass when passed ISATAP tunneling addresses (e.g.,
2001:db8::5efe:127.0.0.1or2001:db8::200:5efe:127.0.0.1), which encapsulate a blocked internal IPv4 address. Python'sipaddressmodule evaluates these addresses asis_global = Trueand does not provide anisatapproperty to easily extract the embedded IPv4 address.π― Impact: An attacker could bypass SSRF protections to scan or interact with internal, private, or loopback network addresses by wrapping them in an ISATAP IPv6 address, circumventing the intended security boundaries.
π§ Fix: Added manual unpacking logic for ISATAP (RFC 5214) addresses in
testping1.py. Extracted the 32-bit ISATAP identifier using bitwise shifting ((ip_int >> 32) & 0xFFFFFFFF) to check for0x00005efeor0x02005efe. If identified, the underlying IPv4 address is extracted and validated against SSRF blocklist rules.β Verification: Added the test
test_is_reachable_ssrf_bypass_isatapintest_testping1.pywhich explicitly validates that ISATAP encapsulations of loopback and private IPs are rejected by the SSRF filter. All tests pass successfully.PR created automatically by Jules for task 13537170886671902071 started by @ManupaKDU