fix(#123): address review feedback on SSRF defense

- Clone http.DefaultTransport instead of bare &http.Transport{} to preserve ProxyFromEnvironment, TLSHandshakeTimeout, IdleConnTimeout, connection pooling, and HTTP/2 support (fixes transport regression). - Add IPv6-mapped IPv4 normalization in action.yml Python SSRF checks to prevent bypass via ::ffff:10.0.0.1 style AAAA records. - Reject URLs with user-info (user:pass@host) in action.yml Python checks to match validate-url subcommand behavior. - Add test verifying DefaultTransport settings are preserved.
2026-05-14 04:49:21 -07:00
parent 5ac93bea70
commit 934c6728ee
3 changed files with 66 additions and 5 deletions
@@ -201,13 +201,17 @@ runs:
          printf '%s\n' \
            'import socket,ipaddress,sys,os' \
            'from urllib.parse import urlparse' \
-            'u=os.environ["CHECK_URL"]; h=urlparse(u).hostname' \
+            'u=os.environ["CHECK_URL"]; parsed=urlparse(u)' \
+            'if parsed.username or parsed.password:' \
+            '  print("Error: URL contains user-info — not allowed",file=sys.stderr); sys.exit(2)' \
+            'h=parsed.hostname' \
            '(print("Error: no hostname",file=sys.stderr) or sys.exit(2)) if not h else None' \
            'try: rs=socket.getaddrinfo(h,None)' \
            'except socket.gaierror as e: print(f"DNS error: {e}",file=sys.stderr); sys.exit(1)' \
            'if not rs: print("Error: no addresses",file=sys.stderr); sys.exit(1)' \
            'for _,_,_,_,(a,*_) in rs:' \
            '  ip=ipaddress.ip_address(a)' \
+            '  if isinstance(ip,ipaddress.IPv6Address) and ip.ipv4_mapped: ip=ip.ipv4_mapped' \
            '  if ip.is_private or ip.is_loopback or ip.is_link_local or ip.is_multicast or ip.is_reserved:' \
            '    print(f"blocked: {a}",file=sys.stderr); sys.exit(1)' \
            > /tmp/_ssrf_check.py
@@ -344,13 +348,17 @@ runs:
          printf '%s\n' \
            'import socket,ipaddress,sys,os' \
            'from urllib.parse import urlparse' \
-            'u=os.environ["CHECK_URL"]; h=urlparse(u).hostname' \
+            'u=os.environ["CHECK_URL"]; parsed=urlparse(u)' \
+            'if parsed.username or parsed.password:' \
+            '  print("Error: URL contains user-info — not allowed",file=sys.stderr); sys.exit(2)' \
+            'h=parsed.hostname' \
            '(print("Error: no hostname",file=sys.stderr) or sys.exit(2)) if not h else None' \
            'try: rs=socket.getaddrinfo(h,None)' \
            'except socket.gaierror as e: print(f"DNS error: {e}",file=sys.stderr); sys.exit(1)' \
            'if not rs: print("Error: no addresses",file=sys.stderr); sys.exit(1)' \
            'for _,_,_,_,(a,*_) in rs:' \
            '  ip=ipaddress.ip_address(a)' \
+            '  if isinstance(ip,ipaddress.IPv6Address) and ip.ipv4_mapped: ip=ip.ipv4_mapped' \
            '  if ip.is_private or ip.is_loopback or ip.is_link_local or ip.is_multicast or ip.is_reserved:' \
            '    print(f"blocked: {a}",file=sys.stderr); sys.exit(1)' \
              > /tmp/_ssrf_check_install.py