Skip to content

fix: normalize IPv4-mapped IPv6 addresses in SSRF protection#1586

Open
xlyoung wants to merge 1 commit into
SolaceLabs:mainfrom
xlyoung:fix/normalize-ipv4-mapped-ssrf
Open

fix: normalize IPv4-mapped IPv6 addresses in SSRF protection#1586
xlyoung wants to merge 1 commit into
SolaceLabs:mainfrom
xlyoung:fix/normalize-ipv4-mapped-ssrf

Conversation

@xlyoung

@xlyoung xlyoung commented Jun 6, 2026

Copy link
Copy Markdown

Problem

The webhook SSRF protection in _check_ip_blocked() can be bypassed using IPv4-mapped IPv6 address notation (e.g. ::ffff:127.0.0.1).

Root cause: ipaddress.ip_address("::ffff:127.0.0.1") returns an IPv6Address, which is not considered part of the 127.0.0.0/8 IPv4 network. This allows bypassing all IPv4 blocked ranges.

Fix

Normalize IPv4-mapped IPv6 addresses to their embedded IPv4 address before checking against blocked networks, using IPv6Address.ipv4_mapped. This handles all IPv4 ranges in a single check rather than maintaining a parallel list of ::ffff: prefixed networks.

7 lines added, no behavior change for non-mapped addresses.

Fixes #1517

IPv4-mapped IPv6 addresses (e.g. ::ffff:127.0.0.1) were not matched by
the IPv4 blocked networks because ipaddress.ip_address() returns an
IPv6Address which is not considered part of an IPv4 network.

Add normalization that resolves ipv4_mapped to the embedded IPv4 address
before range checks, preventing SSRF bypass via IPv6 notation.

Fixes SolaceLabs#1517
Copilot AI review requested due to automatic review settings June 6, 2026 09:20

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Note

Copilot was unable to run its full agentic suite in this review.

This PR closes an IP-blocklist bypass by normalizing IPv4-mapped IPv6 addresses (e.g., ::ffff:10.0.0.1) to their embedded IPv4 address before checking blocked network ranges.

Changes:

  • Normalize IPv4-mapped IPv6 addresses via ip.ipv4_mapped in _check_ip_blocked
  • Add explanatory comments clarifying why the normalization is required

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

[Bug]: Webhook SSRF Protection Bypass

2 participants