GHSA-97vg-427p-8hx5: SurrealDB: Port-specific --deny-net rules silently bypassed on HTTP redirect
SurrealDB offers http::* functions that can access external network endpoints, with the --allow-net and --deny-net capabilities used to restrict the set of network targets that can be reached. An authenticated user of SurrealDB can bypass a port-scoped --deny-net <host>:<port> rule by chaining an HTTP redirect: the initial request goes to an --allow-net-permitted hostname, the response’s 3xx Location header points at the denied host:port, and the redirect is followed even though the destination was explicitly denied.
The root cause is in the redirect policy applied to outbound HTTP requests (surrealdb/core/src/fnc/util/http/mod.rs): the NetTarget for the redirect destination is built from url.host_str() alone and url.port() is dropped. The capability matcher (surrealdb/core/src/dbs/capabilities.rs:259-264) refuses to match a port-bearing rule against a port-stripped target (Self::Host(host, Some(port)) => match tgt { _ => false }), so the operator’s port-scoped deny rule silently does not fire on the redirect target.
References
Code Behaviors & Features
Detect and mitigate GHSA-97vg-427p-8hx5 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →