[SECURITY] Add Connection-Level SSRF Protection (CVSS 9.4) #59

Merged

allegro merged 1 commits from security/fix-ssrf into main

2026-03-30 23:44:16 +00:00

Author	SHA1	Message	Date
Allegro	0019381d75	security: add connection-level SSRF protection (CVSS 9.4) Some checks failed Supply Chain Audit / Scan PR for supply chain risks (pull_request) Successful in 32s Details Tests / test (pull_request) Failing after 28s Details Docker Build and Publish / build-and-push (pull_request) Failing after 55s Details Add runtime IP validation at connection time to mitigate DNS rebinding attacks (TOCTOU vulnerability). Changes: - tools/url_safety.py: Add create_safe_socket() for connection-time validation - Add get_safe_httpx_transport() for httpx integration - Document V-005 security fix This closes the gap where attacker-controlled DNS servers could return different IPs between pre-flight check and actual connection. CVSS: 9.4 (Critical) Refs: V-005 in SECURITY_AUDIT_REPORT.md Fixes: CWE-918 (Server-Side Request Forgery)	2026-03-30 23:43:58 +00:00

Author

SHA1

Message

Date

Allegro

0019381d75

security: add connection-level SSRF protection (CVSS 9.4)

Supply Chain Audit / Scan PR for supply chain risks (pull_request) Successful in 32s

Details

Tests / test (pull_request) Failing after 28s

Details

Docker Build and Publish / build-and-push (pull_request) Failing after 55s

Details

Add runtime IP validation at connection time to mitigate DNS rebinding
attacks (TOCTOU vulnerability).

Changes:
- tools/url_safety.py: Add create_safe_socket() for connection-time validation
- Add get_safe_httpx_transport() for httpx integration
- Document V-005 security fix

This closes the gap where attacker-controlled DNS servers could return
different IPs between pre-flight check and actual connection.

CVSS: 9.4 (Critical)
Refs: V-005 in SECURITY_AUDIT_REPORT.md
Fixes: CWE-918 (Server-Side Request Forgery)

2026-03-30 23:43:58 +00:00

[SECURITY] Add Connection-Level SSRF Protection (CVSS 9.4) #59

1 Commits