🛡️ Sentinel: [HIGH] Fix SSRF DNS Rebinding vulnerability

[Doezer]

🚨 Severity: HIGH
💡 Vulnerability: SSRF Time-of-Check Time-of-Use (TOCTOU) via DNS Rebinding. The previous implementation checked only the first resolved IP address. An attacker could configure a domain to resolve to both a safe IP (passing the check) and an unsafe IP (accessed by fetch), or rebind the DNS between check and use.
🎯 Impact: Attackers could bypass SSRF protection to access internal services (e.g., localhost, metadata services) by using a domain that resolves to mixed safe/unsafe IPs.
🔧 Fix: Updated isSafeUrl and safeFetch in server/ssrf.ts to use dns.lookup({ all: true }) and validate all resolved IP addresses. If any resolved IP is unsafe, the request is blocked.
✅ Verification: Added a new test case in server/__tests__/ssrf.test.ts that mocks dns.lookup returning both safe and unsafe IPs, confirming the function now returns false/throws error.

---

PR created automatically by Jules for task 6441558472011113379 started by @Doezer

[google-labs-jules]

👋 Jules, reporting for duty! I'm here to lend a hand with this pull request.

When you start a review, I'll add a 👀 emoji to each comment to let you know I've read it. I'll focus on feedback directed at me and will do my best to stay out of conversations between you and other bots or reviewers to keep the noise down.

I'll push a commit with your requested changes shortly after. Please note there might be a delay between these steps, but rest assured I'm on the job!

For more direct control, you can switch me to Reactive Mode. When this mode is on, I will only act on comments where you specifically mention me with @jules. You can find this option in the Pull Request section of your global Jules UI settings. You can always switch back!

New to Jules? Learn more at jules.google/docs.

---

For security, I will only act on instructions from the user who triggered this task.

[gemini-code-assist]

Summary of Changes

Hello @Doezer, I'm Gemini Code Assist¹! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!

This pull request significantly enhances the application's security by patching a critical SSRF vulnerability. The core change involves a more thorough validation of IP addresses during DNS resolution, preventing attackers from bypassing internal network access controls through DNS rebinding. By checking all resolved IPs instead of just the first, the system now offers a stronger defense against malicious redirects to sensitive internal services.

Highlights

• SSRF DNS Rebinding Vulnerability Fix: Addressed a high-severity Server-Side Request Forgery (SSRF) vulnerability where the previous implementation only checked the first resolved IP address, making it susceptible to DNS rebinding attacks.
• Comprehensive IP Validation: Modified isSafeUrl and safeFetch functions to use dns.lookup({ all: true }) and validate all resolved IP addresses for a given hostname. If any resolved IP is deemed unsafe, the request is blocked.
• Enhanced Test Coverage: Introduced new test cases in server/__tests__/ssrf.test.ts to specifically cover scenarios involving hostnames that resolve to a mix of safe and unsafe IP addresses, as well as metadata service IPs, ensuring the fix is robust.

Changelog

• client/tests/GameDetailsModal.test.tsx
  • Reformatted test file for consistent indentation.
• client/tests/usenet-utils.test.ts
  • Reformatted test file for consistent indentation.
• client/src/components/RssFeedList.tsx
  • Reformatted JSX structure for improved readability.
• client/src/components/ui/badge.tsx
  • Reformatted interface definition for BadgeProps.
• client/src/pages/rss.tsx
  • Reformatted JSX structure for consistent indentation.
• client/src/pages/xrel-releases.tsx
  • Reformatted JSX structure and conditional rendering for consistent indentation.
• playwright.config.ts
  • Reformatted configuration object for consistent indentation and spacing.
• scripts/debug-igdb.ts
  • Removed an empty line and reformatted code for consistent indentation.
• server/tests/igdb.test.ts
  • Reformatted arrow function syntax and array literal for consistent indentation.
• server/tests/ssrf.test.ts
  • Updated dns.lookup mocks to return an array of addresses, aligning with the all: true option.
  • Added a new test case to verify that hostnames resolving to both safe and unsafe IPs are blocked.
  • Added a new test case to ensure hostnames resolving to metadata service IPs are blocked.
  • Added a new test case to safeFetch to reject requests if any resolved IP is unsafe, preventing DNS rebinding.
• server/rss.ts
  • Reformatted the catch block for processPendingItems for consistent arrow function syntax.
• server/ssrf.ts
  • Modified isSafeUrl to use dns.lookup(hostname, { all: true }) to retrieve all resolved IP addresses.
  • Implemented a loop in isSafeUrl to iterate through all resolved IP addresses and return false if any address is deemed unsafe.
  • Modified safeFetch to also use dns.lookup(hostname, { all: true }) and validate all resolved IP addresses, throwing an error if any are unsafe.
  • Added an explicit isSafeIp check in safeFetch when the hostname is already an IP address.
• tests/e2e/auth.spec.ts
  • Reformatted test code for consistent indentation and string literals.
• tests/e2e/game-details.spec.ts
  • Reformatted test code for consistent indentation and string literals.
• tests/e2e/navigation.spec.ts
  • Reformatted test code for consistent indentation and removed an empty line.

Activity

• This pull request was automatically created by Jules for task 6441558472011113379, initiated by @Doezer.

Using Gemini Code Assist

The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.

Invoking Gemini

You can request assistance from Gemini at any point by creating a comment using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands on the current page.

Feature	Command	Description
Code Review	/gemini review	Performs a code review for the current pull request in its current state.
Pull Request Summary	/gemini summary	Provides a summary of the current pull request in its current state.
Comment	@gemini-code-assist	Responds in comments when explicitly tagged, both in pull request comments and review comments.
Help	/gemini help	Displays a list of available commands.

Customization

To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.

Limitations & Feedback

Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for Github and other Google products, sign up here.

You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension.

Footnotes

1. Review the Privacy Notices, Generative AI Prohibited Use Policy, Terms of Service, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution. ↩

[codecov]

Codecov Report

❌ Patch coverage is 94.44444% with 1 line in your changes missing coverage. Please review.
✅ All tests successful. No failed tests found.

Files with missing lines	Patch %	Lines
server/ssrf.ts	94.11%	1 Missing ⚠️

📢 Thoughts on this report? Let us know!

[gemini-code-assist]

Code Review

This pull request aims to address a critical SSRF vulnerability related to DNS rebinding by switching to dns.lookup({ all: true }) and validating all resolved IP addresses. However, the protection remains vulnerable to a TOCTOU (Time-of-Check Time-of-Use) attack for HTTPS requests because the validated IP address is not pinned for the actual network call. Additionally, two critical edge cases have been identified where an empty DNS resolution result could allow the vulnerability to persist, requiring further attention to ensure the fix is robust.

[gemini-code-assist]

If dns.lookup resolves to an empty array of addresses, the if (addresses.length > 0) condition will be false. In this case, address will retain its initial value of hostname. For HTTP requests, this means the final fetch call will use the original hostname instead of a pinned IP address, re-introducing the Time-of-Check Time-of-Use (TOCTOU) DNS rebinding vulnerability this PR aims to fix. A resolution to an empty list of addresses should be treated as a failure.

      if (addresses.length > 0) {
        address = addresses[0].address;
        family = addresses[0].family;
      } else {
        // If DNS resolves to an empty array, it's a resolution failure.
        throw new Error(`Failed to resolve hostname: ${hostname}`);
      }

[gemini-code-assist]

The implementation of DNS rebinding protection in safeFetch is incomplete for HTTPS requests. While the code correctly validates all resolved IP addresses (lines 191-198), it only 'pins' the IP address for HTTP requests (lines 228-238, outside this hunk but part of the logic). For HTTPS requests, the function uses the original urlStr (which contains the hostname) for the actual fetch call. This creates a Time-of-Check Time-of-Use (TOCTOU) vulnerability: an attacker can configure a malicious DNS server to return a safe IP during the dns.lookup call and then return an internal/unsafe IP (like 127.0.0.1) when the underlying HTTP client performs its own resolution for the actual request. To fully remediate this for HTTPS, you should use a custom DNS resolver or an agent that pins the connection to the validated IP address while maintaining the original hostname for SNI and certificate validation.

[gemini-code-assist]

If dns.lookup resolves to an empty array of addresses, this function will currently return true. This is incorrect, as a hostname that doesn't resolve to any IP (or resolves to an empty set) should be considered unsafe. This could happen for hostnames with only AAAA records on a network without IPv6 connectivity, for example. The function should return false if no addresses are found.

    const addresses = await dns.lookup(hostname, { all: true });
    if (addresses.length === 0) {
      return false;
    }
    // Check all resolved addresses to prevent DNS rebinding attacks
    for (const { address } of addresses) {
      if (!isSafeIp(address, options.allowPrivate)) {
        return false;
      }
    }
    return true;

[gemini-code-assist]

Code Review

This pull request primarily focuses on enhancing security by preventing DNS rebinding attacks in the isSafeUrl and safeFetch functions within server/ssrf.ts. The changes involve modifying dns.lookup to retrieve all resolved IP addresses for a given hostname and then iterating through them to ensure none are unsafe. Corresponding unit tests in server/__tests__/ssrf.test.ts were updated and expanded to cover these new security checks, including scenarios for DNS rebinding and metadata service IP blocking. Minor formatting adjustments were also made across several client-side and test files. The review comments highlight a critical client-side XSS vulnerability in client/src/components/RssFeedList.tsx due to unvalidated item.link usage, recommending a safeUrl utility. Additionally, the reviewer suggests further hardening the DNS resolution logic in server/ssrf.ts by adding explicit checks for empty address arrays returned by dns.lookup in both isSafeUrl and safeFetch, along with new unit tests for this edge case.

[gemini-code-assist]

There's a potential vulnerability here if dns.lookup resolves to an empty array of addresses. In that case, the for loop will not execute, and the function will return true, incorrectly marking a non-resolving (or maliciously-resolving) URL as safe. You should add a check for an empty addresses array and return false in that case.

    const addresses = await dns.lookup(hostname, { all: true });
    if (addresses.length === 0) {
      return false;
    }
    // Check all resolved addresses to prevent DNS rebinding attacks
    for (const { address } of addresses) {
      if (!isSafeIp(address, options.allowPrivate)) {
        return false;
      }
    }
    return true;

[gemini-code-assist]

If dns.lookup resolves to an empty array, addresses will be empty. The code will then proceed without setting address to a resolved IP. Later, for HTTP requests, safeUrl.hostname will be set to the original hostname, bypassing the IP pinning protection against TOCTOU vulnerabilities. You should handle the case where addresses is empty, for example by throwing an error.

    try {
      const addresses = await dns.lookup(hostname, { all: true });

      if (addresses.length === 0) {
        // Throw an error that will be caught and re-wrapped below.
        throw new Error("ENOTFOUND");
      }

      // Check all resolved addresses to prevent DNS rebinding attacks
      for (const { address } of addresses) {
        if (!isSafeIp(address, allowPrivate)) {
          throw new Error("Invalid or unsafe URL");
        }
      }

      // Use the first resolved address for HTTP pinning
      address = addresses[0].address;
      family = addresses[0].family;
    } catch (error) {
      if (error instanceof Error && error.message === "Invalid or unsafe URL") {
        throw error;
      }
      throw new Error(`Failed to resolve hostname: ${hostname}`);
    }

[gemini-code-assist]

The component is vulnerable to stored Cross-Site Scripting (XSS). The item.link value, which originates from an external RSS feed, is used directly in an href attribute on line 140 without validation. If an attacker provides a malicious RSS feed with a javascript: URL, the script will execute in the user's browser when the link is clicked. This can lead to session token theft or other client-side attacks.

Remediation:
Validate the item.link URL to ensure it uses a safe protocol (e.g., http: or https:). A safeUrl utility function, similar to the one in client/src/pages/xrel-releases.tsx, should be used before rendering the link.

Example usage: href={safeUrl(item.link)}

[gemini-code-assist]

The new tests for DNS rebinding are great. To improve test coverage for the edge case I pointed out in server/ssrf.ts, consider adding test cases for when dns.lookup resolves to an empty array.

For isSafeUrl, you could add:

  it("should return false if hostname resolves to no IPs", async () => {
    vi.mocked(dns.lookup).mockResolvedValueOnce([]);
    expect(await isSafeUrl("http://empty-resolve.com")).toBe(false);
  });

And for safeFetch:

  it("should reject if hostname resolves to no IPs", async () => {
    vi.mocked(dns.lookup).mockResolvedValueOnce([]);
    await expect(safeFetch("http://empty-resolve.com")).rejects.toThrow(
      "Failed to resolve hostname"
    );
  });