fix(http): add SSRF redirect protection to OkHttp client#159
Open
spicy-potato-cat wants to merge 2 commits into
Open
fix(http): add SSRF redirect protection to OkHttp client#159spicy-potato-cat wants to merge 2 commits into
spicy-potato-cat wants to merge 2 commits into
Conversation
OkHttp follows redirects transparently before any scope check, allowing an attacker-controlled target to redirect the scanner to cloud metadata endpoints (169.254.169.254) and exfiltrate credentials from the host VM. Add SsrfRedirectInterceptor as an OkHttp network interceptor that validates redirect Location headers against loopback, link-local, site-local, IPv6 unique-local ranges, and the metadata.google.internal hostname. Wire it into HttpClientModule's OkHttpClient builder. Refs google#153
Cover all blocked address ranges (loopback, link-local, site-local, IPv6 unique-local), the metadata.google.internal hostname block, public IP passthrough, and non-redirect response passthrough. Refs google#153
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Add an OkHttp network interceptor that blocks HTTP redirects to
internal and cloud metadata endpoints, preventing SSRF attacks
where an attacker-controlled scan target redirects the scanner to
sensitive addresses.
Problem
The OkHttp client follows redirects by default
(
DEFAULT_FOLLOW_REDIRECTS = true) with no destination validation.A malicious scan target can return a 302 redirect to
http://169.254.169.254/latest/meta-data/and the scanner willsilently follow it, potentially exfiltrating cloud IAM credentials
from the host VM.
Changes
SsrfRedirectInterceptor.java(new): Network interceptorthat inspects redirect responses (301/302/303/307/308) and blocks
Locationtargets resolving to loopback, link-local, site-local,IPv6 unique-local addresses, and
metadata.google.internalHttpClientModule.java: Wire interceptor into theOkHttpClient.BuilderSsrfRedirectInterceptorTest.java(new): Unit tests coveringall blocked ranges, public IP passthrough, hostname blocking, and
non-redirect passthrough
Notes
InetAddressbuilt-in checks andGuava
ImmutableSetunaffected
Refs #153