GMS-2023-1894: SafeURL-Python's hostname blocklist does not block FQDNs

June 29, 2023

Description

If a hostname was block listed, it was possible to bypass the block list by requesting the FQDN of the host (e.g. adding . to the end).

Impact

The main purpose of this library is to block requests to internal/private IPs and these cannot be bypassed using this finding. But if a library user had specifically set certain hostnames as blocked, then an attacker would be able to circumvent that block to cause SSRFs to request those hostnames.

Patches

Fixed by https://github.com/IncludeSecurity/safeurl-python/pull/6

Credit

https://github.com/Sim4n6

References

github.com/IncludeSecurity/safeurl-python/commit/c4f9677f8790a58eaa1953bac286cca75a5f580e
github.com/IncludeSecurity/safeurl-python/pull/6
github.com/IncludeSecurity/safeurl-python/security/advisories/GHSA-373w-rj84-pv6x
github.com/advisories/GHSA-373w-rj84-pv6x

Code Behaviors & Features

Detect and mitigate GMS-2023-1894 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →