abhimehro · google-labs-jules · Jan 13, 2026
diff --git a/.jules/sentinel.md b/.jules/sentinel.md
@@ -39,3 +39,11 @@
 **Prevention:**
 1. Parse URLs and check hostnames against `localhost` and private IP ranges using `ipaddress` module.
 2. Enforce strict length limits on user inputs (e.g., profile IDs) to prevent resource exhaustion or buffer abuse.
+
+## 2025-02-17 - [SSRF DNS Rebinding Prevention]
+**Vulnerability:** The `validate_folder_url` function checked for private IP literals but allowed domain names that resolved to private IPs, making the application vulnerable to SSRF via DNS rebinding or simple internal domain names.
+**Learning:** Simply checking if a hostname is a private IP string is not enough. You must resolve the domain to an IP address and check the resolved IP against private ranges.
+**Prevention:**
+1. Resolve domains using `socket.gethostbyname` or similar.
+2. Validate the resolved IP against private IP ranges using `ipaddress.is_private`.
+3. Handle DNS resolution failures gracefully (fail closed).
diff --git a/main.py b/main.py
@@ -23,6 +23,7 @@
 import concurrent.futures
 import threading
 import ipaddress
+import socket
 from urllib.parse import urlparse
 from typing import Dict, List, Optional, Any, Set, Sequence
 
@@ -205,12 +206,18 @@
 
         try:
             ip = ipaddress.ip_address(hostname)
-            if ip.is_private or ip.is_loopback:
-                log.warning(f"Skipping unsafe URL (private IP): {sanitize_for_log(url)}")
-                return False
         except ValueError:
-            # Not an IP literal, it's a domain.
-            pass
+            # Not an IP literal, try to resolve domain
+            try:
+                ip_str = socket.gethostbyname(hostname)
+                ip = ipaddress.ip_address(ip_str)
+            except (socket.gaierror, ValueError) as e:
+                log.warning(f"Failed to resolve hostname for {sanitize_for_log(url)}: {e}")
+                return False
+
+        if ip.is_private or ip.is_loopback:
+            log.warning(f"Skipping unsafe URL (resolves to private IP): {sanitize_for_log(url)} -> {ip}")
+            return False
 
     except Exception as e:
         log.warning(f"Failed to validate URL {sanitize_for_log(url)}: {e}")