fix(provider-utils): prevent SSRF bypass via DNS resolution in validateDownloadUrl#13718
Closed
majiayu000 wants to merge 2 commits intovercel:mainfrom
Closed
fix(provider-utils): prevent SSRF bypass via DNS resolution in validateDownloadUrl#13718majiayu000 wants to merge 2 commits intovercel:mainfrom
majiayu000 wants to merge 2 commits intovercel:mainfrom
Conversation
Add missing private IPv4 ranges (CGNAT, benchmarking, reserved, broadcast) to isPrivateIPv4(). Add validateResolvedUrl() that resolves hostnames via DNS and blocks private IPs, preventing DNS rebinding SSRF attacks where a hostname resolves to an internal address like 169.254.169.254. Closes vercel#13510 Signed-off-by: majiayu000 <1835304752@qq.com>
…runtimes Replace top-level node:dns import with dynamic import inside validateResolvedUrl() so the module loads without crashing in edge runtimes (Vercel Edge, Cloudflare Workers, Deno Deploy). The try/catch around the dynamic import gracefully skips DNS validation when node:dns is unavailable. Also adds missing changeset for the SSRF fix. Signed-off-by: majiayu000 <1835304752@qq.com>
tigent
bot
added
ai/provider
![vercel[bot]](https://avatars.githubusercontent.com/in/8329?s=60&v=4){kind=small}
| try { | ||
| const { promises } = await import('node:dns'); | ||
| result = await promises.lookup(hostname); | ||
| } catch { |
Contributor
There was a problem hiding this comment.
SSRF bypass: dns.promises.lookup() without { all: true } only validates a single DNS record, allowing an attacker with mixed public/private DNS records to bypass the private IP check.
Author
|
Closing as duplicate — #13512 already addresses this issue. Apologies for the overlap. |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Background
validateDownloadUrl()only validates literal IP addresses against private ranges. When a hostname is provided, it skips IP validation entirely, allowing DNS-based SSRF bypass where an attacker-controlled domain resolves to internal IPs (e.g.,evil.com → 169.254.169.254).Additionally, several private IPv4 ranges were missing from the blocklist.
Summary
Part 1 — Add missing private IPv4 ranges to
isPrivateIPv4():Part 2 — DNS resolution validation:
validateResolvedUrl()async function that resolves hostnames viadns.promises.lookup()and checks resolved IPs against private rangesimport('node:dns')to support edge runtimes (graceful skip when unavailable)download-blob.tsanddownload.tsafter existing sync validationvalidateDownloadUrlunchanged for backward compatibilityManual Verification
pnpm testinpackages/provider-utils— all 477 tests pass (node + edge)Checklist
pnpm changesetin the project root)Related Issues
Fixes #13510