Merge pull request #234 from AikidoSec/fix-bypass-ssrf-case-insensitive-host

Add additional test cases for case-insensitive hostname detection in …

Author: tudor-timcu

lib/request-processor/helpers/tryParseURL.go

@@ -2,12 +2,20 @@ package helpers
 
 import (
 	"net/url"
+
+	"golang.org/x/net/idna"
 )
 
 func TryParseURL(input string) *url.URL {
 	parsedURL, err := url.ParseRequestURI(input)
 	if err != nil {
 		return nil
 	}
+
+	// Convert the host to Unicode if it's an IDN (https://www.rfc-editor.org/rfc/rfc3492)
+	parsedHost, err := idna.ToUnicode(parsedURL.Host)
+	if err == nil {
+		parsedURL.Host = parsedHost
+	}
 	return parsedURL
 }

lib/request-processor/vulnerabilities/ssrf/findHostnameInUserInput_test.go

@@ -11,7 +11,13 @@ func TestFindHostnameInUserInput(t *testing.T) {
 		port      uint32
 		expected  bool
 	}{
+		{"https://m%C3%BCnchen.de", "münchen.de", 0, true},
+		{"https://münchen.de", "xn--mnchen-3ya.de", 0, true},
+		{"https://xn--mnchen-3ya.de", "münchen.de", 0, true},
 		{"hTTps://lOcalhosT:8081", "Localhost", 8081, true},
+		{"MÜNCHEN.DE", "münchen.de", 0, true},
+		{"HTTP://localhost", "loCalhost", 0, true},
+		{"http://LOCALHOST", "loCalhOst", 0, true},
 		{"", "", 0, false},
 		{"", "example.com", 0, false},
 		{"http://example.com", "", 0, false},