Merge pull request #228 from AikidoSec/stored-ssrf-fix-valid-imds-case

bitterpanda63 · web-flow · commit e3a90b3dd2e6 · 2025-09-16T14:42:06.000Z
If the hostname is an IP, skip the stored ssrf vulnerability
diff --git a/agent_api/src/main/java/dev/aikido/agent_api/vulnerabilities/ssrf/imds/Resolver.java b/agent_api/src/main/java/dev/aikido/agent_api/vulnerabilities/ssrf/imds/Resolver.java
@@ -14,6 +14,11 @@ public static String resolvesToImdsIp(Set<String> resolvedIpAddresses, String ho
             return null;
         }
         for (String ip : resolvedIpAddresses) {
+            if (hostname.trim().equals(ip.trim())) {
+                // If the hostname is the IP, that means no resolving is happening
+                // so the request is safe.
+                continue;
+            }
             if (IMDSAddresses.isImdsIpAddress(ip)) {
                 return ip;
             }
diff --git a/agent_api/src/test/java/vulnerabilities/ssrf/ResolverTest.java b/agent_api/src/test/java/vulnerabilities/ssrf/ResolverTest.java
@@ -27,6 +27,14 @@ void testResolvesToImdsIp_WithImdsIp() {
         assertEquals("169.254.169.254", Resolver.resolvesToImdsIp(resolvedIps, "example.com"));
     }
 
+    @Test
+    void testDoesntResolveToImdsIp_WithHostnameImdsIp() {
+        Set<String> resolvedIps = new HashSet<>();
+        resolvedIps.add("169.254.169.254"); // IMDS IP
+
+        assertNull(Resolver.resolvesToImdsIp(resolvedIps, " 169.254.169.254 "));
+    }
+
     @Test
     void testResolvesToImdsIp_WithMultipleResolvedIps_OneImdsIp() {
         Set<String> resolvedIps = new HashSet<>();
diff --git a/agent_api/src/test/java/vulnerabilities/ssrf/StoredSSRFDetectorTest.java b/agent_api/src/test/java/vulnerabilities/ssrf/StoredSSRFDetectorTest.java
@@ -70,6 +70,13 @@ void run_WhenIpIsIpv6ImdsIp_ReturnsAttack() {
         assertNull(result.user);
     }
 
+    @Test
+    void run_WhenIpIsIpv6ImdsIp_ReturnsAttackNotWhenIpIsHostname() {
+        Attack result = detector.run("fd00:ec2::254", List.of("fd00:ec2::254"), "testOperation");
+        assertNull(result);
+    }
+
+
     @Test
     void run_WhenIpIsNotImdsIp_ReturnsNull() {
         Attack result = detector.run("test.example.com", List.of("192.168.1.1"), "testOperation");

Original file line number	Diff line number	Diff line change
`@@ -14,6 +14,11 @@ public static String resolvesToImdsIp(Set<String> resolvedIpAddresses, String ho`
`14`	`14`	`return null;`
`15`	`15`	`}`
`16`	`16`	`for (String ip : resolvedIpAddresses) {`
	`17`	`+ if (hostname.trim().equals(ip.trim())) {`
	`18`	`+ // If the hostname is the IP, that means no resolving is happening`
	`19`	`+ // so the request is safe.`
	`20`	`+ continue;`
	`21`	`+ }`
`17`	`22`	`if (IMDSAddresses.isImdsIpAddress(ip)) {`
`18`	`23`	`return ip;`
`19`	`24`	`}`