Skip to content

FIX: Fix possible SSRF bypass in _is_azure_blob_url host parsing#2180

Merged
jsong468 merged 1 commit into
microsoft:mainfrom
jsong468:icmticket120007
Jul 13, 2026
Merged

FIX: Fix possible SSRF bypass in _is_azure_blob_url host parsing#2180
jsong468 merged 1 commit into
microsoft:mainfrom
jsong468:icmticket120007

Conversation

@jsong468

Copy link
Copy Markdown
Contributor

Description:

  • _is_azure_blob_url derived the host by manually splitting netloc on ":", which mis-parses URLs that embed userinfo (user@host). A crafted URL such as https://a.blob.core.windows.net:80@127.0.0.1:6666 was classified as an allowed Azure Blob URL even though the real host is 127.0.0.1, letting the allowlist be bypassed and enabling an SSRF via _sign_blob_url_async. This replaces the hand-rolled parsing with urlparse(...).hostname.

Changes

  • pyrit/backend/mappers/attack_mappers.py — use parsed.hostname (RFC 3986-aware) instead of parsed.netloc.split(":")[0], and add a bool(host) guard since hostname returns None for unparseable input. This is because netloc.split(":")[0] stops at the first colon and returns the user portion of user@host, so the blob-looking credential segment was treated as the host. .hostname returns the actual connection target, correctly failing the .blob.core.windows.net suffix check.

Tests and Documentation

  • tests/unit/backend/test_mappers.py — add a regression test asserting the userinfo-spoofed payload is rejected.

@rlundeen2 rlundeen2 self-assigned this Jul 13, 2026
@jsong468 jsong468 added this pull request to the merge queue Jul 13, 2026
Merged via the queue into microsoft:main with commit 99a638e Jul 13, 2026
53 checks passed
@jsong468 jsong468 deleted the icmticket120007 branch July 13, 2026 22:54
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants