Skip to content

Commit 7d2d777

Browse files
committed
Create an AIKIDO_TRUSTED_HOSTNAMES and parse
1 parent bf3acdb commit 7d2d777

2 files changed

Lines changed: 29 additions & 0 deletions

File tree

Lines changed: 17 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,17 @@
1+
"""Helper function file, see function docstring"""
2+
3+
import os
4+
5+
6+
def get_trusted_hostnames():
7+
"""
8+
Parses the AIKIDO_TRUSTED_HOSTNAMES environment variable.
9+
Returns a list of hostnames that should be considered as the server itself
10+
(i.e. outgoing requests to these hosts will not be flagged as SSRF).
11+
The value is expected to be a comma-separated list of hostnames, e.g.:
12+
AIKIDO_TRUSTED_HOSTNAMES=myapp.com,api.myapp.com
13+
"""
14+
env_value = os.getenv("AIKIDO_TRUSTED_HOSTNAMES")
15+
if not env_value:
16+
return []
17+
return [h.strip() for h in env_value.split(",") if h.strip()]

docs/ssrf.md

Lines changed: 12 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -22,6 +22,18 @@ In this example, the attacker sends a request to `localtest.me:3000/private`, wh
2222

2323
We don't protect against stored SSRF attacks, where an attacker injects a malicious URL into your app's database. To prevent stored SSRF attacks, validate and sanitize user input before storing it in your database.
2424

25+
## Allowlisting your own hostnames (`AIKIDO_TRUSTED_HOSTNAMES`)
26+
27+
To safely allow outgoing requests to your own services, set the `AIKIDO_TRUSTED_HOSTNAMES` environment variable to a comma-separated list of your hostnames:
28+
29+
```
30+
AIKIDO_TRUSTED_HOSTNAMES=myapp.com,api.myapp.com,backend.internal
31+
```
32+
Any outgoing request whose destination hostname exactly matches one of these values will not be flagged as SSRF
33+
34+
**When should you set this?**
35+
Set `AIKIDO_TRUSTED_HOSTNAMES` when your application makes outgoing requests to its own domain, and those hostnames appear in user-supplied input (e.g. `Host`, `Referer`, `Origin`, etc.)
36+
2537
## Which built-in modules are protected?
2638

2739
Firewall protects against SSRF attacks in the following built-in modules:

0 commit comments

Comments
 (0)