Skip to content

fix(http): add SSRF redirect protection to OkHttp client#159

Open
spicy-potato-cat wants to merge 2 commits into
google:masterfrom
spicy-potato-cat:master
Open

fix(http): add SSRF redirect protection to OkHttp client#159
spicy-potato-cat wants to merge 2 commits into
google:masterfrom
spicy-potato-cat:master

Conversation

@spicy-potato-cat

Copy link
Copy Markdown

Summary

Add an OkHttp network interceptor that blocks HTTP redirects to
internal and cloud metadata endpoints, preventing SSRF attacks
where an attacker-controlled scan target redirects the scanner to
sensitive addresses.

Problem

The OkHttp client follows redirects by default
(DEFAULT_FOLLOW_REDIRECTS = true) with no destination validation.
A malicious scan target can return a 302 redirect to
http://169.254.169.254/latest/meta-data/ and the scanner will
silently follow it, potentially exfiltrating cloud IAM credentials
from the host VM.

Changes

  • SsrfRedirectInterceptor.java (new): Network interceptor
    that inspects redirect responses (301/302/303/307/308) and blocks
    Location targets resolving to loopback, link-local, site-local,
    IPv6 unique-local addresses, and metadata.google.internal
  • HttpClientModule.java: Wire interceptor into the
    OkHttpClient.Builder
  • SsrfRedirectInterceptorTest.java (new): Unit tests covering
    all blocked ranges, public IP passthrough, hostname blocking, and
    non-redirect passthrough

Notes

  • No new dependencies — uses InetAddress built-in checks and
    Guava ImmutableSet
  • Only redirects are validated; original scan requests are
    unaffected
  • Non-redirect responses pass through untouched

Refs #153

OkHttp follows redirects transparently before any scope check,
allowing an attacker-controlled target to redirect the scanner to
cloud metadata endpoints (169.254.169.254) and exfiltrate
credentials from the host VM.

Add SsrfRedirectInterceptor as an OkHttp network interceptor that
validates redirect Location headers against loopback, link-local,
site-local, IPv6 unique-local ranges, and the
metadata.google.internal hostname. Wire it into HttpClientModule's
OkHttpClient builder.

Refs google#153
Cover all blocked address ranges (loopback, link-local, site-local,
IPv6 unique-local), the metadata.google.internal hostname block,
public IP passthrough, and non-redirect response passthrough.

Refs google#153
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant