Skip to content

πŸ›‘οΈ Sentinel: [HIGH] Fix SSRF via Unvalidated Redirects in Pollers#82

Open
d3mocide wants to merge 1 commit into
mainfrom
fix-ssrf-unvalidated-redirects-pollers-8570493135598417741
Open

πŸ›‘οΈ Sentinel: [HIGH] Fix SSRF via Unvalidated Redirects in Pollers#82
d3mocide wants to merge 1 commit into
mainfrom
fix-ssrf-unvalidated-redirects-pollers-8570493135598417741

Conversation

@d3mocide
Copy link
Copy Markdown
Owner

@d3mocide d3mocide commented May 26, 2026

🚨 Severity: HIGH
πŸ’‘ Vulnerability: Several poller modules (alerts.py, gtfs_rt.py, news.py, utilities.py, weather.py) were using httpx.AsyncClient with follow_redirects=True without validating the URLs of subsequent redirects against SSRF. This could allow external attacker-controlled servers to redirect outbound polling requests to internal/private loopback IP addresses (like 127.0.0.1 or 0.0.0.0).
🎯 Impact: Attackers could probe internal services, access metadata endpoints, or exploit other internal systems.
πŸ”§ Fix: Created a new centralized poller/security.py modeled after backend/security.py that provides SSRF URL filtering. Added validate_request_url hook to all instances of httpx.AsyncClient that follow redirects in the poller modules. Also, updated backend/security.py to correctly block the 0.0.0.0 (unspecified) IPv4 address, which resolves to localhost on Linux and wasn't covered by is_private or is_loopback.
βœ… Verification: Ran unit tests on both the backend and poller directories and confirmed successful functionality.

PR created automatically by Jules for task 8570493135598417741 started by @d3mocide

@google-labs-jules @d3mocide
πŸ›‘οΈ Sentinel: [HIGH] Fix SSRF via Unvalidated Redirects in Pollers
ba72ca9 
Co-authored-by: d3mocide <136547209+d3mocide@users.noreply.github.com>
@google-labs-jules
Copy link
Copy Markdown
Contributor

google-labs-jules Bot commented May 26, 2026

πŸ‘‹ Jules, reporting for duty! I'm here to lend a hand with this pull request.

When you start a review, I'll add a πŸ‘€ emoji to each comment to let you know I've read it. I'll focus on feedback directed at me and will do my best to stay out of conversations between you and other bots or reviewers to keep the noise down.

I'll push a commit with your requested changes shortly after. Please note there might be a delay between these steps, but rest assured I'm on the job!

For more direct control, you can switch me to Reactive Mode. When this mode is on, I will only act on comments where you specifically mention me with @jules. You can find this option in the Pull Request section of your global Jules UI settings. You can always switch back!

New to Jules? Learn more at jules.google/docs.

For security, I will only act on instructions from the user who triggered this task.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@d3mocide