Skip to content

🛡️ Sentinel: [HIGH] Fix SSRF vulnerability via DNS resolution #98

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Draft
google-labs-jules wants to merge 1 commit into
base: main
Choose a base branch
from
Draft

🛡️ Sentinel: [HIGH] Fix SSRF vulnerability via DNS resolution #98

google-labs-jules wants to merge 1 commit into from

Conversation

@google-labs-jules
Copy link

@google-labs-jules google-labs-jules bot commented Jan 13, 2026

This change enhances the SSRF protection in validate_folder_url. Previously, the code only checked if the hostname was an explicit private IP literal. It now attempts to resolve domain names to their IP addresses and checks if the resolved IP is private or loopback. This prevents attackers from using domains (e.g., local.example.com or internal DNS names) to bypass the private IP check.

Tests were created and run to verify that domains resolving to private IPs are now rejected, while valid public domains are still accepted. The tests mocked socket.gethostbyname to simulate various DNS scenarios.

PR created automatically by Jules for task 15694335479946925489 started by @abhimehro

@google-labs-jules
Copy link
Author

google-labs-jules bot commented Jan 13, 2026

👋 Jules, reporting for duty! I'm here to lend a hand with this pull request.

When you start a review, I'll add a 👀 emoji to each comment to let you know I've read it. I'll focus on feedback directed at me and will do my best to stay out of conversations between you and other bots or reviewers to keep the noise down.

I'll push a commit with your requested changes shortly after. Please note there might be a delay between these steps, but rest assured I'm on the job!

For more direct control, you can switch me to Reactive Mode. When this mode is on, I will only act on comments where you specifically mention me with @jules. You can find this option in the Pull Request section of your global Jules UI settings. You can always switch back!

New to Jules? Learn more at jules.google/docs.

For security, I will only act on instructions from the user who triggered this task.

@trunk-io
Copy link

trunk-io bot commented Jan 13, 2026

Merging to main in this repository is managed by Trunk.

  • To merge this pull request, check the box to the left or comment /trunk merge below.

github-advanced-security[bot]
github-advanced-security bot found potential problems Jan 13, 2026
View reviewed changes
main.py
ip_str = socket.gethostbyname(hostname)
ip = ipaddress.ip_address(ip_str)
except (socket.gaierror, ValueError) as e:
log.warning(f"Failed to resolve hostname for {sanitize_for_log(url)}: {e}")

Check warning

Code scanning / Prospector (reported by Codacy)

Use lazy % formatting in logging functions (logging-fstring-interpolation) Warning

Use lazy % formatting in logging functions (logging-fstring-interpolation)
main.py
return False

if ip.is_private or ip.is_loopback:
log.warning(f"Skipping unsafe URL (resolves to private IP): {sanitize_for_log(url)} -> {ip}")

Check warning

Code scanning / Prospector (reported by Codacy)

Use lazy % formatting in logging functions (logging-fstring-interpolation) Warning

Use lazy % formatting in logging functions (logging-fstring-interpolation)
github-advanced-security[bot]
github-advanced-security bot found potential problems Jan 13, 2026
View reviewed changes
main.py
# Not an IP literal, try to resolve domain
try:
ip_str = socket.gethostbyname(hostname)
ip = ipaddress.ip_address(ip_str)

Check warning

Code scanning / Pylint (reported by Codacy)

Variable name "ip" doesn't conform to snake_case naming style Warning

Variable name "ip" doesn't conform to snake_case naming style
main.py
try:
ip_str = socket.gethostbyname(hostname)
ip = ipaddress.ip_address(ip_str)
except (socket.gaierror, ValueError) as e:

Check warning

Code scanning / Pylint (reported by Codacy)

Variable name "e" doesn't conform to snake_case naming style Warning

Variable name "e" doesn't conform to snake_case naming style
main.py
return False

if ip.is_private or ip.is_loopback:
log.warning(f"Skipping unsafe URL (resolves to private IP): {sanitize_for_log(url)} -> {ip}")

Check warning

Code scanning / Pylint (reported by Codacy)

Line too long (105/100) Warning

Line too long (105/100)
github-advanced-security[bot]
github-advanced-security bot found potential problems Jan 13, 2026
View reviewed changes
.jules/sentinel.md
1. Parse URLs and check hostnames against `localhost` and private IP ranges using `ipaddress` module.
2. Enforce strict length limits on user inputs (e.g., profile IDs) to prevent resource exhaustion or buffer abuse.

## 2025-02-17 - [SSRF DNS Rebinding Prevention]

Check notice

Code scanning / Remark-lint (reported by Codacy)

Warn when references to undefined definitions are found. Note

[no-undefined-references] Found reference to undefined definition
.jules/sentinel.md
1. Parse URLs and check hostnames against `localhost` and private IP ranges using `ipaddress` module.
2. Enforce strict length limits on user inputs (e.g., profile IDs) to prevent resource exhaustion or buffer abuse.

## 2025-02-17 - [SSRF DNS Rebinding Prevention]

Check notice

Code scanning / Remark-lint (reported by Codacy)

Warn when shortcut reference links are used. Note

[no-shortcut-reference-link] Use the trailing [] on reference links
github-advanced-security[bot]
github-advanced-security bot found potential problems Jan 13, 2026
View reviewed changes
main.py
# Not an IP literal, try to resolve domain
try:
ip_str = socket.gethostbyname(hostname)
ip = ipaddress.ip_address(ip_str)

Check warning

Code scanning / Pylintpython3 (reported by Codacy)

Variable name "ip" doesn't conform to snake_case naming style Warning

Variable name "ip" doesn't conform to snake_case naming style
main.py
try:
ip_str = socket.gethostbyname(hostname)
ip = ipaddress.ip_address(ip_str)
except (socket.gaierror, ValueError) as e:

Check warning

Code scanning / Pylintpython3 (reported by Codacy)

Variable name "e" doesn't conform to snake_case naming style Warning

Variable name "e" doesn't conform to snake_case naming style
main.py
return False

if ip.is_private or ip.is_loopback:
log.warning(f"Skipping unsafe URL (resolves to private IP): {sanitize_for_log(url)} -> {ip}")

Check warning

Code scanning / Pylintpython3 (reported by Codacy)

Line too long (105/100) Warning

Line too long (105/100)
main.py
ip_str = socket.gethostbyname(hostname)
ip = ipaddress.ip_address(ip_str)
except (socket.gaierror, ValueError) as e:
log.warning(f"Failed to resolve hostname for {sanitize_for_log(url)}: {e}")

Check notice

Code scanning / Pylintpython3 (reported by Codacy)

Use lazy % formatting in logging functions Note

Use lazy % formatting in logging functions
main.py
return False

if ip.is_private or ip.is_loopback:
log.warning(f"Skipping unsafe URL (resolves to private IP): {sanitize_for_log(url)} -> {ip}")

Check notice

Code scanning / Pylintpython3 (reported by Codacy)

Use lazy % formatting in logging functions Note

Use lazy % formatting in logging functions
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

python

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant