Description
The safe_get() function in src/extension_shield/utils/http_safety.py validates outbound URLs by resolving DNS and verifying all resolved IPs are non-private (lines 137-146 in validate_outbound_url). However, the subsequent requests.get() call at line 182 performs its own independent DNS resolution.
This creates a Time-of-Check to Time-of-Use (TOCTOU) window vulnerable to DNS rebinding attacks:
validate_outbound_url() resolves example.com to 1.2.3.4 (public IP) — passes checkrequests.get() re-resolves example.com to 169.254.169.254 (cloud metadata) — bypasses protection
An attacker controlling a DNS server can serve a public IP during the validation phase and switch to a private/internal IP for the actual request.
Impact
In cloud deployments (Railway, AWS, GCP), a successful DNS rebinding attack could expose instance metadata, service account credentials, and internal network resources. This is a significant concern for a security-focused tool.
Description
The
safe_get()function insrc/extension_shield/utils/http_safety.pyvalidates outbound URLs by resolving DNS and verifying all resolved IPs are non-private (lines 137-146 invalidate_outbound_url). However, the subsequentrequests.get()call at line 182 performs its own independent DNS resolution.This creates a Time-of-Check to Time-of-Use (TOCTOU) window vulnerable to DNS rebinding attacks:
validate_outbound_url()resolvesexample.comto1.2.3.4(public IP) — passes checkrequests.get()re-resolvesexample.comto169.254.169.254(cloud metadata) — bypasses protectionAn attacker controlling a DNS server can serve a public IP during the validation phase and switch to a private/internal IP for the actual request.
Impact
In cloud deployments (Railway, AWS, GCP), a successful DNS rebinding attack could expose instance metadata, service account credentials, and internal network resources. This is a significant concern for a security-focused tool.