🛡️ Sentinel: [CRITICAL] Fix SSRF via DNS Rebinding

[abhimehro]

🚨 Severity: CRITICAL
💡 Vulnerability: SSRF (Server-Side Request Forgery) via DNS Rebinding. An attacker could control a domain to resolve to a public IP during initial validation checks, but switch to a private/local IP (e.g., 127.0.0.1) during the actual HTTP request, bypassing security controls.
🎯 Impact: This could allow an attacker to access internal services or loopback interfaces that should not be accessible from the outside.
🔧 Fix: Implemented Post-Connect Verification. By inspecting the server_addr from the established connection's socket information, we verify the actual IP address used. If it is a private or multicast IP, the request is aborted.
✅ Verification: Added a new test tests/test_ssrf_fix.py which mocks the httpx response stream to simulate a connection to a private IP and asserts that a ValueError is raised. Verified that normal public IP connections are still allowed.

---

PR created automatically by Jules for task 2214977954974444498 started by @abhimehro

[google-labs-jules]

👋 Jules, reporting for duty! I'm here to lend a hand with this pull request.

When you start a review, I'll add a 👀 emoji to each comment to let you know I've read it. I'll focus on feedback directed at me and will do my best to stay out of conversations between you and other bots or reviewers to keep the noise down.

I'll push a commit with your requested changes shortly after. Please note there might be a delay between these steps, but rest assured I'm on the job!

For more direct control, you can switch me to Reactive Mode. When this mode is on, I will only act on comments where you specifically mention me with @jules. You can find this option in the Pull Request section of your global Jules UI settings. You can always switch back!

New to Jules? Learn more at jules.google/docs.

---

For security, I will only act on instructions from the user who triggered this task.

[trunk-io]

Merging to main in this repository is managed by Trunk.

• To merge this pull request, check the box to the left or comment /trunk merge below.

[gemini-code-assist]

Summary of Changes

Hello @abhimehro, I'm Gemini Code Assist¹! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!

This pull request introduces a crucial security enhancement to mitigate a critical SSRF vulnerability stemming from DNS Rebinding attacks. By implementing a post-connection IP verification, the system now rigorously checks the actual endpoint of HTTP requests, preventing malicious redirection to internal networks. The changes also include comprehensive test cases to validate the fix and updates to project dependencies and documentation to reflect the security measure.

Highlights

• Critical Security Fix: This pull request addresses a critical Server-Side Request Forgery (SSRF) vulnerability caused by DNS Rebinding. The fix implements a 'Post-Connect Verification' mechanism to ensure the actual IP address connected to is not a private or multicast IP, even if initial DNS resolution passed validation.
• Post-Connect Verification Logic: The _gh_get function in main.py now inspects the server_addr from the established httpx network stream. If the connected IP is identified as private or multicast, a ValueError is raised, effectively blocking the request.
• New Test Coverage: A new test file, tests/test_ssrf_fix.py, has been added. It includes tests that simulate DNS Rebinding by mocking httpx responses to private IPs, asserting that the security fix correctly raises a ValueError, while also verifying that connections to public IPs remain functional.
• Dependency and Environment Updates: The minimum required Python version in uv.lock has been adjusted from 3.13 to 3.12, and typing-extensions has been added as a conditional dependency for Python versions below 3.13 to ensure broader compatibility.
• Security Documentation: A new markdown file, .jules/sentinel.md, has been added to document the DNS Rebinding vulnerability, the lessons learned, and the prevention strategy implemented.

Using Gemini Code Assist

The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.

Invoking Gemini

You can request assistance from Gemini at any point by creating a comment using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands on the current page.

Feature	Command	Description
Code Review	/gemini review	Performs a code review for the current pull request in its current state.
Pull Request Summary	/gemini summary	Provides a summary of the current pull request in its current state.
Comment	@gemini-code-assist	Responds in comments when explicitly tagged, both in pull request comments and review comments.
Help	/gemini help	Displays a list of available commands.

Customization

To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.

Limitations & Feedback

Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for Github and other Google products, sign up here.

You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension.

Footnotes

1. Review the Privacy Notices, Generative AI Prohibited Use Policy, Terms of Service, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution. ↩

[gemini-code-assist]

Code Review

This pull request introduces a critical security fix for a potential SSRF vulnerability via DNS rebinding. The approach of using post-connect verification by checking the socket's server address is robust and well-implemented. The new tests effectively validate the fix for the intended scenarios.

I've added one critical review comment in main.py to address a case where the fix could be bypassed, and a suggestion in tests/test_ssrf_fix.py to add a test case for this scenario to ensure the fix is comprehensive. Overall, this is an excellent and important contribution to the security of the application.

[gemini-code-assist]

This try...except block currently fails open. If ipaddress.ip_address(ip_str) raises a ValueError (e.g., if ip_str is not a valid IP address), ip is set to None. The subsequent check if ip and ... will then be false, and the request processing will continue, bypassing the security validation.

For security-critical checks, it's crucial to fail closed. If the IP address cannot be parsed, we should treat it as a potential threat and abort the request. I suggest modifying this to raise an exception if parsing fails.

Suggested change

	try:
	ip = ipaddress.ip_address(ip_str)
	except ValueError:
	# server_addr[0] might not be an IP string (unlikely for TCP)
	ip = None
	if ip and (not ip.is_global or ip.is_multicast):
	raise ValueError(
	f"Security Alert: Domain resolved to private IP {ip_str} (DNS Rebinding protection)"
	)
	try:
	ip = ipaddress.ip_address(ip_str)
	except ValueError as e:
	# Fail closed: if we can't parse the IP, we can't trust it.
	raise ValueError(f"Security Alert: Could not parse server IP '{ip_str}' for validation.") from e
	if not ip.is_global or ip.is_multicast:
	raise ValueError(
	f"Security Alert: Domain resolved to private IP {ip_str} (DNS Rebinding protection)"
	)

[gemini-code-assist]

To complement the proposed change in main.py and ensure the security check is robust, it would be beneficial to add a test case that verifies the system fails closed when the connected address is not a valid IP string. This ensures that unexpected return values from get_extra_info are handled securely.

    assert result == {"valid": "json"}

def test_gh_get_blocks_invalid_ip_after_connect(monkeypatch):
    """
    Test that _gh_get raises ValueError if the connection was established to an invalid IP.
    This ensures we fail-closed if the server address is not a parsable IP.
    """

    # Mock response stream with an invalid IP string
    mock_stream = MagicMock()
    mock_stream.get_extra_info.return_value = ('not-a-valid-ip', 443)

    mock_response = MagicMock(spec=httpx.Response)
    mock_response.extensions = {"network_stream": mock_stream}
    mock_response.headers = {}
    mock_response.iter_bytes.return_value = [b'{}']
    mock_response.raise_for_status.return_value = None

    # Context manager mock for stream()
    mock_context = MagicMock()
    mock_context.__enter__.return_value = mock_response
    mock_context.__exit__.return_value = None

    # Mock _gh.stream
    mock_gh = MagicMock()
    mock_gh.stream.return_value = mock_context

    monkeypatch.setattr(main, "_gh", mock_gh)

    # We expect ValueError because the IP is invalid and we should fail closed.
    with pytest.raises(ValueError, match="Security Alert: Could not parse server IP"):
        main._gh_get("https://example.com/config.json")

[Copilot]

Pull request overview

This PR implements a critical security fix for Server-Side Request Forgery (SSRF) via DNS Rebinding attacks. The vulnerability allowed attackers to bypass URL validation by controlling DNS to resolve to a public IP initially, then switching to a private IP during the actual HTTP request. The fix adds post-connect verification by inspecting the actual IP address from the established socket connection.

Changes:

• Added post-connect IP verification in _gh_get() to check the actual connected IP address
• Created new test file test_ssrf_fix.py with tests for private and public IP scenarios
• Updated Python version requirement from >=3.13 to >=3.12 in uv.lock (inconsistent with pyproject.toml)
• Added sentinel documentation explaining the vulnerability and prevention strategy

Reviewed changes

Copilot reviewed 3 out of 5 changed files in this pull request and generated 3 comments.

Show a summary per file

File	Description
main.py	Implements post-connect SSRF verification using httpx's network_stream extension to check the actual server IP address after connection establishment
tests/test_ssrf_fix.py	Adds pytest-based tests to verify private IPs are blocked and public IPs are allowed after connection
uv.lock	Changes Python requirement to >=3.12 and adds typing-extensions dependency for Python <3.13 compatibility
.python-version	Formatting change only, maintains Python 3.13
.jules/sentinel.md	Documents the DNS rebinding vulnerability, learning, and prevention strategy

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

Consider adding logging when the post-connect SSRF verification cannot be performed (e.g., when network_stream is not available in extensions). While the initial URL validation provides protection, logging would help detect if the defense-in-depth layer is being bypassed due to httpx implementation changes or unexpected conditions. For example, add a log.debug or log.warning when stream is None.

Suggested change

	)
	)
	else:
	# If httpx does not expose a network_stream, we cannot perform the
	# post-connect SSRF verification; log this for observability.
	log.warning(
	"Post-connect SSRF verification skipped for %s: network_stream extension missing",
	sanitize_for_log(url),
	)

[Copilot]

The fixture should clear the cache after each test as well to ensure proper test isolation. Change the fixture to use yield:

@pytest.fixture(autouse=True)
def clear_cache():
    main._cache.clear()
    yield
    main._cache.clear()

This pattern is consistent with the setUp/tearDown pattern used in other test files like test_cache_optimization.py.

Suggested change

	main._cache.clear()
	main._cache.clear()
	yield
	main._cache.clear()

[Copilot]

Consider adding additional test cases to improve coverage of the SSRF fix:

1. IPv6 loopback address (::1)
2. IPv6 private address (e.g., fc00::1)
3. Multicast IP address (e.g., 224.0.0.1)
4. Case where network_stream is not available in extensions
5. Case where server_addr is None or empty

These additional tests would help ensure the security fix handles all edge cases correctly.