[PR #576] Fix ssrf validation #574

New issue

Open

opened 2026-02-26 10:32:16 +03:00 by kerem · 0 comments

kerem commented

2026-02-26 10:32:16 +03:00

Owner

📋 Pull Request Information

Original PR: https://github.com/nsupdate-info/nsupdate.info/pull/576
Author: @whitesquirrell
Created: 4/14/2025
Status: 🔄 Open

Base: master ← Head: master

📝 Commits (1)

d612cd5 Fix ssrf validation

📊 Changes

1 file changed (+23 additions, -1 deletions)

View changed files

📝 src/nsupdate/main/forms.py (+23 -1)

📄 Description

Summary

This pull request addresses a potential Server-Side Request Forgery (SSRF) vulnerability in the EditDomainForm.clean() method.

Details

Currently, the form accepts arbitrary nameserver_ip inputs, which are passed to the check_domain() function. This leads to dynamic DNS update attempts to the specified IP address, including internal ones (e.g., 127.0.0.1). As a result, attackers could potentially:

Probe internal network services
Interact with unintended internal DNS servers
Perform SSRF attacks using the application's backend

Fix

This patch adds validation using Python’s ipaddress module to reject loopback, private, and reserved IP addresses before performing any DNS update.

Impact

This prevents misuse of the DNS update mechanism and mitigates the risk of SSRF attacks via internal IP injection.

_{🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.}

## 📋 Pull Request Information **Original PR:** https://github.com/nsupdate-info/nsupdate.info/pull/576 **Author:** [@whitesquirrell](https://github.com/whitesquirrell) **Created:** 4/14/2025 **Status:** 🔄 Open **Base:** `master` ← **Head:** `master` --- ### 📝 Commits (1) - [`d612cd5`](https://github.com/nsupdate-info/nsupdate.info/commit/d612cd5aee7a471c134c3772aa7628f97dbf6d82) Fix ssrf validation ### 📊 Changes **1 file changed** (+23 additions, -1 deletions) <details> <summary>View changed files</summary> 📝 `src/nsupdate/main/forms.py` (+23 -1) </details> ### 📄 Description ### Summary This pull request addresses a potential Server-Side Request Forgery (SSRF) vulnerability in the `EditDomainForm.clean()` method. ### Details Currently, the form accepts arbitrary `nameserver_ip` inputs, which are passed to the `check_domain()` function. This leads to dynamic DNS update attempts to the specified IP address, including internal ones (e.g., 127.0.0.1). As a result, attackers could potentially: - Probe internal network services - Interact with unintended internal DNS servers - Perform SSRF attacks using the application's backend ### Fix This patch adds validation using Python’s `ipaddress` module to reject loopback, private, and reserved IP addresses before performing any DNS update. ### Impact This prevents misuse of the DNS update mechanism and mitigates the risk of SSRF attacks via internal IP injection. --- <sub>🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.</sub>