🛡️ Sentinel: Fix SSRF vulnerability in URL validation by google-labs-jules[bot] · Pull Request #89 · abhimehro/ctrld-sync

google-labs-jules · 2026-01-10T10:51:45Z

🛡️ Sentinel: [HIGH] Fix SSRF vulnerability in folder URL validation

🚨 Severity: HIGH
💡 Vulnerability: The previous validation logic allowed domains that resolve to private IP addresses (SSRF), as it only checked for explicit "localhost" strings or IP literals.
🎯 Impact: An attacker could potentially access internal network resources by providing a URL pointing to a local service via a domain name.
🔧 Fix: Updated validate_folder_url to resolve domain names to IP addresses and verify that they do not point to private or loopback ranges using the ipaddress library.
✅ Verification: Verified with a test script simulating domains resolving to private and public IPs.

PR created automatically by Jules for task 12945820800002383074 started by @abhimehro

- Added DNS resolution to `validate_folder_url` to check for private IPs. - Used `socket.gethostbyname` to resolve domains. - Verified that resolved IPs are not private or loopback addresses. - Added `socket` import.

google-labs-jules · 2026-01-10T10:51:46Z

👋 Jules, reporting for duty! I'm here to lend a hand with this pull request.

When you start a review, I'll add a 👀 emoji to each comment to let you know I've read it. I'll focus on feedback directed at me and will do my best to stay out of conversations between you and other bots or reviewers to keep the noise down.

I'll push a commit with your requested changes shortly after. Please note there might be a delay between these steps, but rest assured I'm on the job!

For more direct control, you can switch me to Reactive Mode. When this mode is on, I will only act on comments where you specifically mention me with @jules. You can find this option in the Pull Request section of your global Jules UI settings. You can always switch back!

New to Jules? Learn more at jules.google/docs.

For security, I will only act on instructions from the user who triggered this task.

+                resolved_ip_str = socket.gethostbyname(hostname)
+                resolved_ip = ipaddress.ip_address(resolved_ip_str)
+                if resolved_ip.is_private or resolved_ip.is_loopback:
+                    log.warning(f"Skipping unsafe URL (domain resolves to private IP {resolved_ip_str}): {sanitize_for_log(url)}")


+                 # We'll allow it to proceed to HTTP request which will likely fail,
+                 # or we could be strict and reject it.
+                 # Being strict is safer for security.
+                 log.warning(f"Skipping unsafe URL (DNS resolution failed): {sanitize_for_log(url)}")


            # Not an IP literal, it's a domain.
-            pass
+            try:
+                # Resolve domain to IP to check for private addresses (SSRF protection)


+                 # We'll allow it to proceed to HTTP request which will likely fail,
+                 # or we could be strict and reject it.
+                 # Being strict is safer for security.
+                 log.warning(f"Skipping unsafe URL (DNS resolution failed): {sanitize_for_log(url)}")


+                 # or we could be strict and reject it.
+                 # Being strict is safer for security.
+                 log.warning(f"Skipping unsafe URL (DNS resolution failed): {sanitize_for_log(url)}")
+                 return False


+                 # or we could be strict and reject it.
+                 # Being strict is safer for security.
+                 log.warning(f"Skipping unsafe URL (DNS resolution failed): {sanitize_for_log(url)}")
+                 return False


+                 # or we could be strict and reject it.
+                 # Being strict is safer for security.
+                 log.warning(f"Skipping unsafe URL (DNS resolution failed): {sanitize_for_log(url)}")
+                 return False


+                 # or we could be strict and reject it.
+                 # Being strict is safer for security.
+                 log.warning(f"Skipping unsafe URL (DNS resolution failed): {sanitize_for_log(url)}")
+                 return False


+                 return False
+            except Exception as e:
+                log.warning(f"Failed to resolve domain for URL {sanitize_for_log(url)}: {e}")
+                return False


+                 return False
+            except Exception as e:
+                log.warning(f"Failed to resolve domain for URL {sanitize_for_log(url)}: {e}")
+                return False


+            except Exception as e:
+                log.warning(f"Failed to resolve domain for URL {sanitize_for_log(url)}: {e}")
+                return False



+            except Exception as e:
+                log.warning(f"Failed to resolve domain for URL {sanitize_for_log(url)}: {e}")
+                return False



abhimehro · 2026-01-18T21:24:31Z

Superseded: SSRF protection already in main via PR #109.

feat: Add SSRF protection by resolving domains in URL validation

d1c5ffc

- Added DNS resolution to `validate_folder_url` to check for private IPs. - Used `socket.gethostbyname` to resolve domains. - Verified that resolved IPs are not private or loopback addresses. - Added `socket` import.

github-actions bot added the python label Jan 10, 2026

github-advanced-security AI found potential problems Jan 10, 2026

View reviewed changes

abhimehro closed this Jan 18, 2026

abhimehro deleted the sentinel-ssrf-fix-12945820800002383074 branch January 19, 2026 05:39

Conversation

google-labs-jules bot commented Jan 10, 2026

Uh oh!

google-labs-jules bot commented Jan 10, 2026

Uh oh!

Check warning

Check warning

Check notice

Check notice

Check notice

Check warning

Check warning

Check warning

Check notice

Check notice

Check notice

Check notice

Check warning

Check warning

Check warning

Check warning

Check warning

Check warning

Check warning

Check warning

Check warning

Check warning

abhimehro commented Jan 18, 2026

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

2 participants