If the hostname is an IP, skip the stored ssrf vulnerability

bitterpanda63 · bitterpanda63 · commit 7f8cd5eb5c0f · 2025-09-16T16:20:57.000+02:00
diff --git a/agent_api/src/main/java/dev/aikido/agent_api/vulnerabilities/ssrf/imds/Resolver.java b/agent_api/src/main/java/dev/aikido/agent_api/vulnerabilities/ssrf/imds/Resolver.java
@@ -14,6 +14,11 @@ public static String resolvesToImdsIp(Set<String> resolvedIpAddresses, String ho
             return null;
         }
         for (String ip : resolvedIpAddresses) {
+            if (hostname.trim().equals(ip.trim())) {
+                // If the hostname is the IP, that means no resolving is happening
+                // so the request is safe.
+                continue;
+            }
             if (IMDSAddresses.isImdsIpAddress(ip)) {
                 return ip;
             }

Original file line number	Diff line number	Diff line change
`@@ -14,6 +14,11 @@ public static String resolvesToImdsIp(Set<String> resolvedIpAddresses, String ho`
`14`	`14`	`return null;`
`15`	`15`	`}`
`16`	`16`	`for (String ip : resolvedIpAddresses) {`
	`17`	`+ if (hostname.trim().equals(ip.trim())) {`
	`18`	`+ // If the hostname is the IP, that means no resolving is happening`
	`19`	`+ // so the request is safe.`
	`20`	`+ continue;`
	`21`	`+ }`
`17`	`22`	`if (IMDSAddresses.isImdsIpAddress(ip)) {`
`18`	`23`	`return ip;`
`19`	`24`	`}`