Merge pull request #199 from AikidoSec/fix-issue-with-hostnames

bitterpanda63 · web-flow · commit 93c067844c8d · 2025-07-22T09:54:25.000Z
SSRF: do not flag attacks using service hostnames
diff --git a/agent_api/src/main/java/dev/aikido/agent_api/vulnerabilities/ssrf/FindHostnameInContext.java b/agent_api/src/main/java/dev/aikido/agent_api/vulnerabilities/ssrf/FindHostnameInContext.java
@@ -10,6 +10,7 @@
 
 import static dev.aikido.agent_api.helpers.url.UrlParser.tryParseUrl;
 import static dev.aikido.agent_api.vulnerabilities.ssrf.RequestToItselfChecker.isRequestToItself;
+import static dev.aikido.agent_api.vulnerabilities.ssrf.RequestToServiceHostnameChecker.isRequestToServiceHostname;
 
 public final class FindHostnameInContext {
     private FindHostnameInContext() {}
@@ -22,6 +23,11 @@ public static Res findHostnameInContext(String hostname, ContextObject context,
             return null;
         }
 
+        // We don't want to block outgoing requests where the hostname is a service name, even if it's inside user input
+        if (isRequestToServiceHostname(hostname)) {
+            return null;
+        }
+
         Map<String, Map<String, String>> stringsFromContext = new StringsFromContext(context).getAll();
         for (Map.Entry<String, Map<String, String>> sourceEntry : stringsFromContext.entrySet()) {
             String source = sourceEntry.getKey();
diff --git a/agent_api/src/main/java/dev/aikido/agent_api/vulnerabilities/ssrf/RequestToServiceHostnameChecker.java b/agent_api/src/main/java/dev/aikido/agent_api/vulnerabilities/ssrf/RequestToServiceHostnameChecker.java
@@ -0,0 +1,24 @@
+package dev.aikido.agent_api.vulnerabilities.ssrf;
+
+import java.util.List;
+import java.util.regex.Pattern;
+
+public final class RequestToServiceHostnameChecker {
+    // Pattern allows alphanumerical input (case-insensitive), dashes (-) and underscores (_)
+    private static final Pattern SERVICE_HOSTNAME_PATTERN = Pattern.compile("^[a-zA-Z0-9-_]+$");
+    private static final List ALLOWED_LOCALHOST_VARIANTS = List.of(
+        "localhost", "localdomain"
+    );
+
+    public static boolean isRequestToServiceHostname(String hostname) {
+        if (hostname == null) {
+            return false;
+        }
+        if (ALLOWED_LOCALHOST_VARIANTS.contains(hostname.toLowerCase())) {
+            // "localhost" or its variants are not service hostnames
+            return false;
+        }
+
+        return SERVICE_HOSTNAME_PATTERN.matcher(hostname).matches();
+    }
+}
diff --git a/agent_api/src/test/java/vulnerabilities/ssrf/RequestToServiceHostnameCheckerTest.java b/agent_api/src/test/java/vulnerabilities/ssrf/RequestToServiceHostnameCheckerTest.java
@@ -0,0 +1,103 @@
+package vulnerabilities.ssrf;
+
+import dev.aikido.agent_api.vulnerabilities.ssrf.RequestToServiceHostnameChecker;
+import org.junit.jupiter.api.Test;
+
+import java.util.List;
+
+import static org.junit.jupiter.api.Assertions.*;
+
+class RequestToServiceHostnameCheckerTest {
+
+    @Test
+    void testValidHostnames() {
+        assertTrue(RequestToServiceHostnameChecker.isRequestToServiceHostname("valid_hostname"));
+        assertTrue(RequestToServiceHostnameChecker.isRequestToServiceHostname("valid-hostname"));
+        assertTrue(RequestToServiceHostnameChecker.isRequestToServiceHostname("valid123"));
+        assertTrue(RequestToServiceHostnameChecker.isRequestToServiceHostname("hostname_with_underscores-and-dashes"));
+        assertTrue(RequestToServiceHostnameChecker.isRequestToServiceHostname("123456"));
+        assertTrue(RequestToServiceHostnameChecker.isRequestToServiceHostname("a-b_c"));
+    }
+
+    @Test
+    void testInvalidHostnames() {
+        assertFalse(RequestToServiceHostnameChecker.isRequestToServiceHostname(null));
+        assertFalse(RequestToServiceHostnameChecker.isRequestToServiceHostname(""));
+        assertFalse(RequestToServiceHostnameChecker.isRequestToServiceHostname(" "));
+        assertFalse(RequestToServiceHostnameChecker.isRequestToServiceHostname("invalid@hostname"));
+        assertFalse(RequestToServiceHostnameChecker.isRequestToServiceHostname("invalid#hostname"));
+        assertFalse(RequestToServiceHostnameChecker.isRequestToServiceHostname("invalid/hostname"));
+        assertFalse(RequestToServiceHostnameChecker.isRequestToServiceHostname("invalid:hostname"));
+        assertFalse(RequestToServiceHostnameChecker.isRequestToServiceHostname("invalid;hostname"));
+        assertFalse(RequestToServiceHostnameChecker.isRequestToServiceHostname("invalid.hostname"));
+        assertFalse(RequestToServiceHostnameChecker.isRequestToServiceHostname("invalid_hostname!"));
+        assertFalse(RequestToServiceHostnameChecker.isRequestToServiceHostname("invalid-hostname*"));
+    }
+
+    @Test
+    void testEdgeCases() {
+        assertTrue(RequestToServiceHostnameChecker.isRequestToServiceHostname("-leadingdash"));
+        assertTrue(RequestToServiceHostnameChecker.isRequestToServiceHostname("_leadingunderscore"));
+        assertTrue(RequestToServiceHostnameChecker.isRequestToServiceHostname("trailingdash-"));
+        assertTrue(RequestToServiceHostnameChecker.isRequestToServiceHostname("trailingunderscore_"));
+        assertTrue(RequestToServiceHostnameChecker.isRequestToServiceHostname("dash--dash"));
+        assertTrue(RequestToServiceHostnameChecker.isRequestToServiceHostname("underscore__underscore"));
+
+        assertFalse(RequestToServiceHostnameChecker.isRequestToServiceHostname("-leadingdash."));
+        assertFalse(RequestToServiceHostnameChecker.isRequestToServiceHostname("_leadingunderscore."));
+        assertFalse(RequestToServiceHostnameChecker.isRequestToServiceHostname(".trailingdash-"));
+        assertFalse(RequestToServiceHostnameChecker.isRequestToServiceHostname(".trailingunderscore_"));
+        assertFalse(RequestToServiceHostnameChecker.isRequestToServiceHostname("dash--dash."));
+        assertFalse(RequestToServiceHostnameChecker.isRequestToServiceHostname(".underscore__underscore"));
+    }
+
+    @Test
+    void testMixedValidAndInvalidCharacters() {
+        assertFalse(RequestToServiceHostnameChecker.isRequestToServiceHostname("valid_hostname!@#"));
+        assertFalse(RequestToServiceHostnameChecker.isRequestToServiceHostname("valid-hostname$%^"));
+        assertFalse(RequestToServiceHostnameChecker.isRequestToServiceHostname("valid123&*()"));
+    }
+
+    @Test
+    void testAllowedLocalhostVariants() {
+        assertFalse(RequestToServiceHostnameChecker.isRequestToServiceHostname("localhost"));
+        assertFalse(RequestToServiceHostnameChecker.isRequestToServiceHostname("localhost.localdomain"));
+        assertFalse(RequestToServiceHostnameChecker.isRequestToServiceHostname("LOCALHOST"));
+        assertFalse(RequestToServiceHostnameChecker.isRequestToServiceHostname("LocalHost"));
+
+        assertFalse(RequestToServiceHostnameChecker.isRequestToServiceHostname("Host.docker.Internal"));
+        assertFalse(RequestToServiceHostnameChecker.isRequestToServiceHostname("host.docker.internal"));
+        assertFalse(RequestToServiceHostnameChecker.isRequestToServiceHostname("kubernetes.docker.internal"));
+        assertFalse(RequestToServiceHostnameChecker.isRequestToServiceHostname("KUBERNETES.DOCKER.INTERNAL"));
+
+        assertFalse(RequestToServiceHostnameChecker.isRequestToServiceHostname("localdomain"));
+    }
+
+    @Test
+    void testOtherLocalhostVariants() {
+        // If you want to test other variants that are not in the allowed list
+        assertFalse(RequestToServiceHostnameChecker.isRequestToServiceHostname("127.0.0.1"));
+        assertFalse(RequestToServiceHostnameChecker.isRequestToServiceHostname("::1"));
+    }
+
+    @Test
+    void testAllowedIPv4Addresses() {
+        assertFalse(RequestToServiceHostnameChecker.isRequestToServiceHostname("192.168.1.1"));
+        assertFalse(RequestToServiceHostnameChecker.isRequestToServiceHostname("255.255.255.255"));
+        assertFalse(RequestToServiceHostnameChecker.isRequestToServiceHostname("0.0.0.0"));
+    }
+
+    @Test
+    void testAllowedIPv6Addresses() {
+        assertFalse(RequestToServiceHostnameChecker.isRequestToServiceHostname("2001:0db8:85a3:0000:0000:8a2e:0370:7334"));
+        assertFalse(RequestToServiceHostnameChecker.isRequestToServiceHostname("::1"));
+        assertFalse(RequestToServiceHostnameChecker.isRequestToServiceHostname("::ffff:192.168.1.1"));
+    }
+
+    @Test
+    void testAllowedNormalHostnames() {
+        assertFalse(RequestToServiceHostnameChecker.isRequestToServiceHostname("google.com"));
+        assertFalse(RequestToServiceHostnameChecker.isRequestToServiceHostname("subdomain.example.com"));
+        assertFalse(RequestToServiceHostnameChecker.isRequestToServiceHostname("example.com"));
+    }
+}
diff --git a/agent_api/src/test/java/vulnerabilities/ssrf/SSRFDetectorTest.java b/agent_api/src/test/java/vulnerabilities/ssrf/SSRFDetectorTest.java
@@ -127,4 +127,21 @@ public void testSsrfDetectorWithRedirectToLocalhostButIsRequestToItself() throws
 
         assertNull(attackData);
     }
+
+    @Test
+    @SetEnvironmentVariable(key = "AIKIDO_TOKEN", value = "invalid-token")
+    public void testSsrfDetectorWithServiceHostnameInRedirect() throws MalformedURLException {
+        // Setup context :
+        setContextAndLifecycle("http://mysql-database/ssrf-test");
+
+        URLCollector.report(new URL("http://mysql-database/ssrf-test"));
+        RedirectCollector.report(new URL("http://mysql-database/ssrf-test"), new URL("http://127.0.0.1:8080"));
+        Attack attackData = new SSRFDetector().run(
+            "127.0.0.1", 8080,
+            List.of("127.0.0.1"),
+            "testop"
+        );
+
+        assertNull(attackData);
+    }
 }
