Skip to content

Prevent DNS rebinding on fetched urls #2765

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
ryanfowler merged 1 commit into from
Jan 27, 2026
Merged

Prevent DNS rebinding on fetched urls #2765

ryanfowler merged 1 commit into from
Jan 27, 2026

Conversation

@ryanfowler
Copy link
Owner

@ryanfowler ryanfowler commented Jan 27, 2026

No description provided.

@ryanfowler ryanfowler requested a review from Copilot January 27, 2026 05:13
Copilot AI reviewed Jan 27, 2026
View reviewed changes
Copy link

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR implements DNS rebinding attack prevention by performing DNS resolution and SSRF validation atomically. Instead of validating the hostname before making the request (which creates a TOCTTOU vulnerability), the code now resolves the hostname to an IP address, validates that IP, and then makes the request directly to the validated IP while setting the Host header to the original hostname.

Changes:

  • Removed pre-request host validation to eliminate TOCTTOU vulnerability between validation and request
  • Added atomic DNS resolution and SSRF validation that resolves hostnames to IPs and validates them in one step
  • Implemented request routing directly to validated IP addresses with proper Host header preservation

Reviewed changes

Copilot reviewed 2 out of 2 changed files in this pull request and generated 1 comment.

File Description
lib/fetch.ts Refactored SSRF protection to perform atomic DNS resolution and validation, replacing hostname-based validation with IP-based validation to prevent DNS rebinding attacks
lib/fetch.test.ts Added comprehensive test suite covering DNS rebinding scenarios including single/multiple IP resolution, redirect validation, and spy verification of atomic resolution

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

@ryanfowler ryanfowler merged commit 064a054 into main Jan 27, 2026
3 checks passed
@ryanfowler ryanfowler deleted the dns-rebinding branch January 27, 2026 05:14
@ryanfowler ryanfowler mentioned this pull request Jan 27, 2026
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@ryanfowler