ssrf: fix post-request effective hostname handling + harden tests (#377)

PopoviciMarian · web-flow · commit 62addb81fde5 · 2026-01-08T13:22:40.000+02:00
diff --git a/README.md b/README.md
@@ -39,25 +39,25 @@ Prerequisites:
 
 ##### x86_64
 ```
-rpm -Uvh --oldpackage https://github.com/AikidoSec/firewall-php/releases/download/v1.4.12/aikido-php-firewall.x86_64.rpm
+rpm -Uvh --oldpackage https://github.com/AikidoSec/firewall-php/releases/download/v1.4.13/aikido-php-firewall.x86_64.rpm
 ```
 
 ##### arm64 / aarch64
 ```
-rpm -Uvh --oldpackage https://github.com/AikidoSec/firewall-php/releases/download/v1.4.12/aikido-php-firewall.aarch64.rpm
+rpm -Uvh --oldpackage https://github.com/AikidoSec/firewall-php/releases/download/v1.4.13/aikido-php-firewall.aarch64.rpm
 ```
 
 #### For Debian-based Systems (Debian, Ubuntu)
 
 ##### x86_64
 ```
-curl -L -O https://github.com/AikidoSec/firewall-php/releases/download/v1.4.12/aikido-php-firewall.x86_64.deb
+curl -L -O https://github.com/AikidoSec/firewall-php/releases/download/v1.4.13/aikido-php-firewall.x86_64.deb
 dpkg -i -E ./aikido-php-firewall.x86_64.deb
 ```
 
 ##### arm64 / aarch64
 ```
-curl -L -O https://github.com/AikidoSec/firewall-php/releases/download/v1.4.12/aikido-php-firewall.aarch64.deb
+curl -L -O https://github.com/AikidoSec/firewall-php/releases/download/v1.4.13/aikido-php-firewall.aarch64.deb
 dpkg -i -E ./aikido-php-firewall.aarch64.deb
 ```
 
diff --git a/docs/aws-elastic-beanstalk.md b/docs/aws-elastic-beanstalk.md
@@ -4,7 +4,7 @@
 ```
 commands:
   aikido-php-firewall:
-    command: "rpm -Uvh --oldpackage https://github.com/AikidoSec/firewall-php/releases/download/v1.4.12/aikido-php-firewall.x86_64.rpm"
+    command: "rpm -Uvh --oldpackage https://github.com/AikidoSec/firewall-php/releases/download/v1.4.13/aikido-php-firewall.x86_64.rpm"
     ignoreErrors: true
 
 files:
diff --git a/docs/fly-io.md b/docs/fly-io.md
@@ -32,7 +32,7 @@ Create a script to install the Aikido PHP Firewall during deployment:
 #!/usr/bin/env bash
 cd /tmp
 
-curl -L -O https://github.com/AikidoSec/firewall-php/releases/download/v1.4.12/aikido-php-firewall.x86_64.deb
+curl -L -O https://github.com/AikidoSec/firewall-php/releases/download/v1.4.13/aikido-php-firewall.x86_64.deb
 dpkg -i -E ./aikido-php-firewall.x86_64.deb
 ```
 
diff --git a/docs/laravel-forge.md b/docs/laravel-forge.md
@@ -8,7 +8,7 @@ You can get your token from the [Aikido Security Dashboard](https://help.aikido.
 
 Go to "Commands" and run the following by replacing the sudo password with the one that Forge displays when the server is created:
 ```
-curl -L -O https://github.com/AikidoSec/firewall-php/releases/download/v1.4.12/aikido-php-firewall.x86_64.deb && echo "YOUR_SUDO_PASSWORD_HERE" | sudo -S dpkg -i -E ./aikido-php-firewall.x86_64.deb && echo "YOUR_SUDO_PASSWORD_HERE" | sudo -S service php8.4-fpm restart
+curl -L -O https://github.com/AikidoSec/firewall-php/releases/download/v1.4.13/aikido-php-firewall.x86_64.deb && echo "YOUR_SUDO_PASSWORD_HERE" | sudo -S dpkg -i -E ./aikido-php-firewall.x86_64.deb && echo "YOUR_SUDO_PASSWORD_HERE" | sudo -S service php8.4-fpm restart
 ```
 
 ![Forge Commands](./forge-commands.png)
diff --git a/lib/agent/constants/constants.go b/lib/agent/constants/constants.go
@@ -1,7 +1,7 @@
 package constants
 
 const (
-	Version                             = "1.4.12"
+	Version                             = "1.4.13"
 	SocketPath                          = "/run/aikido-" + Version + "/aikido-agent.sock"
 	PidPath                             = "/run/aikido-" + Version + "/aikido-agent.pid"
 	ConfigUpdatedAtMethod               = "GET"
diff --git a/lib/php-extension/include/php_aikido.h b/lib/php-extension/include/php_aikido.h
@@ -3,7 +3,7 @@
 extern zend_module_entry aikido_module_entry;
 #define phpext_aikido_ptr &aikido_module_entry
 
-#define PHP_AIKIDO_VERSION "1.4.12"
+#define PHP_AIKIDO_VERSION "1.4.13"
 
 #if defined(ZTS) && defined(COMPILE_DL_AIKIDO)
 ZEND_TSRMLS_CACHE_EXTERN()
diff --git a/lib/request-processor/globals/globals.go b/lib/request-processor/globals/globals.go
@@ -62,6 +62,6 @@ func CreateServer(token string) *ServerData {
 }
 
 const (
-	Version    = "1.4.12"
+	Version    = "1.4.13"
 	SocketPath = "/run/aikido-" + Version + "/aikido-agent.sock"
 )
diff --git a/lib/request-processor/vulnerabilities/ssrf/checkContextForSSRF.go b/lib/request-processor/vulnerabilities/ssrf/checkContextForSSRF.go
@@ -81,9 +81,10 @@ func CheckEffectiveHostnameForSSRF(effectiveHostname string) *utils.InterceptorR
 			// Hostname was found in user input and the effective hostname (after redirects) resolved to a private IP address -> SSRF
 			interceptorResult.Metadata["isPrivateIp"] = "true"
 		}
+		return interceptorResult
 	}
 
-	return interceptorResult
+	return nil
 }
 
 /* This is called after the request is made to check for SSRF in the resolvedIP - IP optained from the PHP library that made the request (curl) */
diff --git a/lib/request-processor/vulnerabilities/ssrf/checkPostRequestSSRF_test.go b/lib/request-processor/vulnerabilities/ssrf/checkPostRequestSSRF_test.go
@@ -0,0 +1,134 @@
+package ssrf
+
+import (
+	"main/context"
+	"main/utils"
+	"testing"
+)
+
+func TestCheckResolvedIpForSSRF_NoStoredInterceptorResult_ReturnsNil(t *testing.T) {
+	context.ResetEventContext()
+	t.Cleanup(func() { context.ResetEventContext() })
+
+	if res := CheckResolvedIpForSSRF("127.0.0.1"); res != nil {
+		t.Fatalf("expected nil, got %#v", res)
+	}
+}
+
+func TestCheckResolvedIpForSSRF_PublicIp_ReturnsNil(t *testing.T) {
+	context.ResetEventContext()
+	t.Cleanup(func() { context.ResetEventContext() })
+
+	ir := &utils.InterceptorResult{
+		Operation: "curl_exec",
+		Kind:      utils.Ssrf,
+		Source:    "body",
+		Metadata:  map[string]string{},
+		Payload:   "http://example.test",
+	}
+	context.EventContextSetCurrentSsrfInterceptorResult(ir)
+
+	if res := CheckResolvedIpForSSRF("8.8.8.8"); res != nil {
+		t.Fatalf("expected nil, got %#v", res)
+	}
+	if _, ok := ir.Metadata["isPrivateIp"]; ok {
+		t.Fatalf("expected isPrivateIp to not be set for public IP")
+	}
+	if _, ok := ir.Metadata["resolvedIp"]; ok {
+		t.Fatalf("expected resolvedIp to not be set for public IP")
+	}
+}
+
+func TestCheckResolvedIpForSSRF_PrivateIp_ReturnsInterceptorResultWithMetadata(t *testing.T) {
+	context.ResetEventContext()
+	t.Cleanup(func() { context.ResetEventContext() })
+
+	ir := &utils.InterceptorResult{
+		Operation: "curl_exec",
+		Kind:      utils.Ssrf,
+		Source:    "body",
+		Metadata:  map[string]string{},
+		Payload:   "http://example.test",
+	}
+	context.EventContextSetCurrentSsrfInterceptorResult(ir)
+
+	res := CheckResolvedIpForSSRF("127.0.0.1")
+	if res == nil {
+		t.Fatalf("expected non-nil interceptor result")
+	}
+	if res != ir {
+		t.Fatalf("expected returned interceptor result to be the stored one")
+	}
+	if got := res.Metadata["resolvedIp"]; got != "127.0.0.1" {
+		t.Fatalf("expected resolvedIp=127.0.0.1, got %q", got)
+	}
+	if got := res.Metadata["isPrivateIp"]; got != "true" {
+		t.Fatalf("expected isPrivateIp=true, got %q", got)
+	}
+}
+
+func TestCheckEffectiveHostnameForSSRF_PrivateIpHostname_ReturnsInterceptorResultWithMetadata(t *testing.T) {
+	context.ResetEventContext()
+	t.Cleanup(func() { context.ResetEventContext() })
+
+	ir := &utils.InterceptorResult{
+		Operation: "curl_exec",
+		Kind:      utils.Ssrf,
+		Source:    "body",
+		Metadata:  map[string]string{},
+		Payload:   "http://example.test",
+	}
+	context.EventContextSetCurrentSsrfInterceptorResult(ir)
+
+	res := CheckEffectiveHostnameForSSRF("127.0.0.1")
+	if res == nil {
+		t.Fatalf("expected non-nil interceptor result")
+	}
+	if res != ir {
+		t.Fatalf("expected returned interceptor result to be the stored one")
+	}
+	if got := res.Metadata["effectiveHostname"]; got != "127.0.0.1" {
+		t.Fatalf("expected effectiveHostname=127.0.0.1, got %q", got)
+	}
+	if got := res.Metadata["resolvedIp"]; got != "127.0.0.1" {
+		t.Fatalf("expected resolvedIp=127.0.0.1, got %q", got)
+	}
+	if got := res.Metadata["isPrivateIp"]; got != "true" {
+		t.Fatalf("expected isPrivateIp=true, got %q", got)
+	}
+}
+
+func TestCheckEffectiveHostnameForSSRF_IMDSHostname_ReturnsInterceptorResultWithIMDSMetadata(t *testing.T) {
+	context.ResetEventContext()
+	t.Cleanup(func() { context.ResetEventContext() })
+
+	ir := &utils.InterceptorResult{
+		Operation: "curl_exec",
+		Kind:      utils.Ssrf,
+		Source:    "body",
+		Metadata:  map[string]string{},
+		Payload:   "http://example.test",
+	}
+	context.EventContextSetCurrentSsrfInterceptorResult(ir)
+
+	res := CheckEffectiveHostnameForSSRF("169.254.169.254")
+	if res == nil {
+		t.Fatalf("expected non-nil interceptor result")
+	}
+	if res != ir {
+		t.Fatalf("expected returned interceptor result to be the stored one")
+	}
+	if got := res.Metadata["effectiveHostname"]; got != "169.254.169.254" {
+		t.Fatalf("expected effectiveHostname=169.254.169.254, got %q", got)
+	}
+	if got := res.Metadata["resolvedIp"]; got != "169.254.169.254" {
+		t.Fatalf("expected resolvedIp=169.254.169.254, got %q", got)
+	}
+	if got := res.Metadata["isIMDSIp"]; got != "true" {
+		t.Fatalf("expected isIMDSIp=true, got %q", got)
+	}
+	// IMDS IPv4 is also in private ranges in our implementation.
+	if got := res.Metadata["isPrivateIp"]; got != "true" {
+		t.Fatalf("expected isPrivateIp=true, got %q", got)
+	}
+}
diff --git a/package/rpm/aikido.spec b/package/rpm/aikido.spec
@@ -1,5 +1,5 @@
 Name:           aikido-php-firewall
-Version:        1.4.12
+Version:        1.4.13
 Release:        1
 Summary:        Aikido PHP Extension
 License:        GPL
diff --git a/tests/server/test_ssrf_curl/test.py b/tests/server/test_ssrf_curl/test.py
@@ -21,6 +21,11 @@ def check_ssrf(url, response_code, response_body, event_id, expected_json):
     assert_started_event_is_valid(events[0])
     assert_event_contains_subset_file(events[event_id], expected_json)
 
+
+def check_false_positive_ssrf(url, response_code):
+    response = php_server_post("/testDetection", {"url": url})
+    assert_response_code_is(response, response_code)
+
 def run_test():
     check_ssrf("http://127.0.0.1:8081", 500, "", 1, "expect_detection_blocked.json")
     
@@ -33,6 +38,11 @@ def run_test():
     
     check_ssrf(f"http://app.example.local:{get_mock_port()}/tests/simple", 500, "", 3, "expect_detection_blocked_resolved_ip.json")
     
+    # http://ssrf-redirects.testssandbox.com/ssrf-test-domain -> http://local.aikido.io/test
+    # add a local.aikido.io to the hosts file and check that the request is not blocked (public IP address)
+    add_to_hosts_file("local.aikido.io", "8.8.8.8")
+    check_false_positive_ssrf(f"http://ssrf-redirects.testssandbox.com/ssrf-test-domain", 200)
+
 if __name__ == "__main__":
     load_test_args()
     run_test()

Original file line number	Diff line number	Diff line change
`@@ -62,6 +62,6 @@ func CreateServer(token string) *ServerData {`
`62`	`62`	`}`
`63`	`63`
`64`	`64`	`const (`
`65`		`- Version = "1.4.12"`
	`65`	`+ Version = "1.4.13"`
`66`	`66`	`SocketPath = "/run/aikido-" + Version + "/aikido-agent.sock"`
`67`	`67`	`)`
Original file line number	Diff line number	Diff line change
`@@ -81,9 +81,10 @@ func CheckEffectiveHostnameForSSRF(effectiveHostname string) *utils.InterceptorR`
`81`	`81`	`// Hostname was found in user input and the effective hostname (after redirects) resolved to a private IP address -> SSRF`
`82`	`82`	`interceptorResult.Metadata["isPrivateIp"] = "true"`
`83`	`83`	`}`
	`84`	`+ return interceptorResult`
`84`	`85`	`}`
`85`	`86`
`86`		`- return interceptorResult`
	`87`	`+ return nil`
`87`	`88`	`}`
`88`	`89`
`89`	`90`	`/* This is called after the request is made to check for SSRF in the resolvedIP - IP optained from the PHP library that made the request (curl) */`