fix: add octal integer IP parsing and fix test naming

Tomo1912 · Tomo1912 · commit d0c93330098d · 2026-01-08T18:08:33.000+01:00
- Add octal integer format parsing (017700000001 = 127.0.0.1)
- Rename SSL test to reflect fail-secure behavior (stays_enabled, not defaults_to_false)
- Add tests for octal integer IP obfuscation
diff --git a/src/fetch/src/mcp_server_fetch/server.py b/src/fetch/src/mcp_server_fetch/server.py
@@ -79,14 +79,25 @@ def _parse_obfuscated_ip(hostname: str) -> str | None:
 
     Attackers may use alternative IP representations to bypass SSRF filters:
     - Decimal: 2130706433 (= 127.0.0.1)
-    - Octal: 0177.0.0.1 (= 127.0.0.1)
+    - Octal integer: 017700000001 (= 127.0.0.1)
+    - Octal dotted: 0177.0.0.1 (= 127.0.0.1)
     - Hex: 0x7f000001 (= 127.0.0.1)
     - Mixed: 0x7f.0.0.1 (= 127.0.0.1)
 
     Returns the normalized IP string if detected, None otherwise.
     """
     hostname = hostname.strip()
 
+    # Try octal integer format (e.g., 017700000001 = 127.0.0.1)
+    # Must check before decimal since octal strings are also digits
+    try:
+        if hostname.startswith("0") and len(hostname) > 1 and hostname.isdigit():
+            ip_int = int(hostname, 8)
+            if 0 <= ip_int <= 0xFFFFFFFF:  # Valid 32-bit range
+                return str(ipaddress.IPv4Address(ip_int))
+    except (ValueError, ipaddress.AddressValueError):
+        pass
+
     # Try decimal integer format (e.g., 2130706433 = 127.0.0.1)
     try:
         if hostname.isdigit():
diff --git a/src/fetch/tests/test_security.py b/src/fetch/tests/test_security.py
@@ -114,8 +114,8 @@ async def test_ssl_verify_case_insensitive(self, reset_env):
             assert server_module.SSL_VERIFY is expected, f"Failed for value: {value}"
 
     @pytest.mark.asyncio
-    async def test_ssl_verify_invalid_value_defaults_to_false(self, reset_env):
-        """Invalid values should default to False (not 'true')."""
+    async def test_ssl_verify_invalid_value_stays_enabled(self, reset_env):
+        """Invalid/unknown values should keep SSL verification ENABLED (fail-secure)."""
         os.environ['MCP_FETCH_SSL_VERIFY'] = 'invalid'
 
         import importlib
@@ -176,6 +176,9 @@ class TestIPObfuscationParsing:
         # Hex encoding
         ("0x7f000001", "127.0.0.1"),
         ("0x7F000001", "127.0.0.1"),  # uppercase
+        # Octal integer format (without dots)
+        ("017700000001", "127.0.0.1"),
+        ("025177524776", "169.254.169.254"),  # metadata IP in octal
         # Octal dotted format
         ("0177.0.0.1", "127.0.0.1"),
         ("0177.0.0.01", "127.0.0.1"),
