Skip to content

Reject internal IPs when verifying user controlled domains (SSRF)#6450

Open
cnkk wants to merge 2 commits into
masterfrom
limit-verify-verification
Open

Reject internal IPs when verifying user controlled domains (SSRF)#6450
cnkk wants to merge 2 commits into
masterfrom
limit-verify-verification

Conversation

@cnkk

@cnkk cnkk commented Jun 15, 2026

Copy link
Copy Markdown
Member

Prevents resolving to internal IPs when running domain verifications (SSO, Installation verification)

cnkk and others added 2 commits June 15, 2026 23:09
@cnkk
User-controlled hostnames (SSO domains, site data_domains, custom ver…
ddfa081 
…ification URLs) get dereferenced by an outbound HTTP client. A public hostname can resolve to a private/loopback/link-local address (e.g. cloud metadata at 169.254.169.254) and turn a verification fetch into an internal request.

Add Plausible.SSRFProtection to classify resolved IPs and guard the
request path in three layers:
- syntactic check at add-time rejects literal IPs and dot-less hosts
- resolve-time check rejects hosts whose A or AAAA records are internal
- a Req response step refuses redirects whose Location is internal

IPv6 classification re-checks IPv4 embedded in mapped, IPv4-compatible,
NAT64, and 6to4 addresses.
@cnkk
Merge branch 'master' into limit-verify-verification
061b06c
@cnkk cnkk added the preview label Jun 15, 2026
@github-actions

github-actions Bot commented Jun 15, 2026

Copy link
Copy Markdown
Preview environment👷🏼‍♀️🏗️
PR-6450

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

preview

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@cnkk