🛡️ Sentinel: [HIGH] Fix SSRF protection by resolving domains by google-labs-jules[bot] · Pull Request #109 · abhimehro/ctrld-sync

google-labs-jules · 2026-01-17T10:43:01Z

🚨 Severity: HIGH
💡 Vulnerability: SSRF protection was incomplete as it only checked IP literals but not domains resolving to private IPs.
🎯 Impact: Attackers could access internal services by providing a domain that resolves to a private IP (e.g., DNS Rebinding).
🔧 Fix: Updated validate_folder_url in main.py to resolve domains using socket.getaddrinfo and check the resulting IPs against private/loopback ranges.
✅ Verification: Added tests/test_ssrf.py which verifies that domains resolving to private IPs are blocked. Verified with dry-run on valid URLs.

PR created automatically by Jules for task 13102230351974662327 started by @abhimehro

google-labs-jules · 2026-01-17T10:43:02Z

👋 Jules, reporting for duty! I'm here to lend a hand with this pull request.

When you start a review, I'll add a 👀 emoji to each comment to let you know I've read it. I'll focus on feedback directed at me and will do my best to stay out of conversations between you and other bots or reviewers to keep the noise down.

I'll push a commit with your requested changes shortly after. Please note there might be a delay between these steps, but rest assured I'm on the job!

For more direct control, you can switch me to Reactive Mode. When this mode is on, I will only act on comments where you specifically mention me with @jules. You can find this option in the Pull Request section of your global Jules UI settings. You can always switch back!

New to Jules? Learn more at jules.google/docs.

For security, I will only act on instructions from the user who triggered this task.

trunk-io · 2026-01-17T10:43:04Z

Merging to main in this repository is managed by Trunk.

To merge this pull request, check the box to the left or comment /trunk merge below.

.jules/sentinel.md

 1. Parse URLs and check hostnames against `localhost` and private IP ranges using `ipaddress` module.
 2. Enforce strict length limits on user inputs (e.g., profile IDs) to prevent resource exhaustion or buffer abuse.
+
+## 2026-01-17 - [SSRF Protection Enhancement]


.jules/sentinel.md

 1. Parse URLs and check hostnames against `localhost` and private IP ranges using `ipaddress` module.
 2. Enforce strict length limits on user inputs (e.g., profile IDs) to prevent resource exhaustion or buffer abuse.
+
+## 2026-01-17 - [SSRF Protection Enhancement]


main.py

+                    ip_str = res[4][0]
+                    ip = ipaddress.ip_address(ip_str)
+                    if ip.is_private or ip.is_loopback:
+                        log.warning(f"Skipping unsafe URL (domain {hostname} resolves to private IP {ip}): {sanitize_for_log(url)}")


main.py

+                        log.warning(f"Skipping unsafe URL (domain {hostname} resolves to private IP {ip}): {sanitize_for_log(url)}")
+                        return False
+            except (socket.gaierror, ValueError, OSError) as e:
+                log.warning(f"Failed to resolve/validate domain {hostname}: {e}")


tests/test_ssrf.py

@@ -0,0 +1,54 @@
+import unittest
+from unittest.mock import patch, MagicMock


tests/test_ssrf.py

+# Add root to path to import main
+sys.path.append(os.path.dirname(os.path.dirname(os.path.abspath(__file__))))
+
+import main


tests/test_ssrf.py

+
+            self.assertTrue(result, "Should allow domain resolving to public IP")
+
+if __name__ == '__main__':


main.py

+                    # res is (family, type, proto, canonname, sockaddr)
+                    # sockaddr is (address, port) for AF_INET/AF_INET6
+                    ip_str = res[4][0]
+                    ip = ipaddress.ip_address(ip_str)


main.py

+                    ip_str = res[4][0]
+                    ip = ipaddress.ip_address(ip_str)
+                    if ip.is_private or ip.is_loopback:
+                        log.warning(f"Skipping unsafe URL (domain {hostname} resolves to private IP {ip}): {sanitize_for_log(url)}")


main.py

+                    if ip.is_private or ip.is_loopback:
+                        log.warning(f"Skipping unsafe URL (domain {hostname} resolves to private IP {ip}): {sanitize_for_log(url)}")
+                        return False
+            except (socket.gaierror, ValueError, OSError) as e:


tests/test_ssrf.py

@@ -0,0 +1,54 @@
+import unittest


tests/test_ssrf.py

+# Add root to path to import main
+sys.path.append(os.path.dirname(os.path.dirname(os.path.abspath(__file__))))
+
+import main


tests/test_ssrf.py

+
+import main
+
+class TestSSRF(unittest.TestCase):


main.py

+                    ip_str = res[4][0]
+                    ip = ipaddress.ip_address(ip_str)
+                    if ip.is_private or ip.is_loopback:
+                        log.warning(f"Skipping unsafe URL (domain {hostname} resolves to private IP {ip}): {sanitize_for_log(url)}")


main.py

+                        log.warning(f"Skipping unsafe URL (domain {hostname} resolves to private IP {ip}): {sanitize_for_log(url)}")
+                        return False
+            except (socket.gaierror, ValueError, OSError) as e:
+                log.warning(f"Failed to resolve/validate domain {hostname}: {e}")


tests/test_ssrf.py

@@ -0,0 +1,54 @@
+import unittest
+from unittest.mock import patch, MagicMock


main.py

+                    # res is (family, type, proto, canonname, sockaddr)
+                    # sockaddr is (address, port) for AF_INET/AF_INET6
+                    ip_str = res[4][0]
+                    ip = ipaddress.ip_address(ip_str)


main.py

+                    ip_str = res[4][0]
+                    ip = ipaddress.ip_address(ip_str)
+                    if ip.is_private or ip.is_loopback:
+                        log.warning(f"Skipping unsafe URL (domain {hostname} resolves to private IP {ip}): {sanitize_for_log(url)}")


main.py

+                    if ip.is_private or ip.is_loopback:
+                        log.warning(f"Skipping unsafe URL (domain {hostname} resolves to private IP {ip}): {sanitize_for_log(url)}")
+                        return False
+            except (socket.gaierror, ValueError, OSError) as e:


tests/test_ssrf.py

@@ -0,0 +1,54 @@
+import unittest


tests/test_ssrf.py

+# Add root to path to import main
+sys.path.append(os.path.dirname(os.path.dirname(os.path.abspath(__file__))))
+
+import main


tests/test_ssrf.py

+
+import main
+
+class TestSSRF(unittest.TestCase):


tests/test_ssrf.py

@@ -0,0 +1,54 @@
+import unittest
+from unittest.mock import patch, MagicMock


The implemented code fix for SSRF was superseded by PR #109. Retaining the security journal entry for future reference regarding DNS resolution and private IP validation.

This reverts commit [previous_commit_hash]. This PR is superseded by PR #109 which implements the same fix. Reverting changes to close this branch cleanly.

feat: enhance SSRF protection by resolving domains

f6e2ee3

github-actions bot added the python label Jan 17, 2026

github-advanced-security bot found potential problems Jan 17, 2026

View reviewed changes

abhimehro merged commit 9259fef into main Jan 18, 2026
18 checks passed

abhimehro deleted the sentinel-ssrf-fix-13102230351974662327 branch January 18, 2026 05:29

		@@ -0,0 +1,54 @@
		import unittest
		from unittest.mock import patch, MagicMock


		self.assertTrue(result, "Should allow domain resolving to public IP")

		if __name__ == '__main__':

Conversation

google-labs-jules bot commented Jan 17, 2026

Uh oh!

google-labs-jules bot commented Jan 17, 2026

Uh oh!

trunk-io bot commented Jan 17, 2026

Uh oh!

Check notice

Check notice

Check warning

Check warning

Check warning

Check warning

Check warning

Check warning

Check warning

Check warning

Check warning

Check warning

Check warning

Check notice

Check notice

Check notice

Check warning

Check warning

Check warning

Check warning

Check warning

Check warning

Check notice

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

1 participant