Skip to content

add index#2

Open
msaleemzp wants to merge 5 commits into
mainfrom
test-2
Open

add index#2
msaleemzp wants to merge 5 commits into
mainfrom
test-2

Conversation

@msaleemzp

Copy link
Copy Markdown
Contributor

No description provided.

@msaleemzp msaleemzp closed this Jun 22, 2026
@msaleemzp msaleemzp reopened this Jun 22, 2026
@zeropath-ai-staging

zeropath-ai-staging Bot commented Jun 22, 2026

Copy link
Copy Markdown

🟡 3 security issues detected below the blocking threshold. Reviewed everything up to f4f9209.

The following issues were found:

  • Issue 1: Server-Side Request Forgery (SSRF)
    • Location: index.js:42-54
    • Score: MEDIUM (67.0)
    • Description: The code claims to prevent DNS rebinding (line 42-43 comment: 'DNS resolution to prevent DNS rebinding'), but the implementation is flawed. The DNS lookup on line 44 resolves the hostname to check if addresses are private, but the resolved addresses are NOT used for the actual request. Instead, line 54 calls axios.get(url) which performs its own independent DNS resolution. An attacker who controls the DNS server for the target hostname can initially return a public IP (passing the private IP check on lines 45-48), then return a private IP (e.g., 127.0.0.1) when axios resolves the hostname milliseconds later. This TOCTOU race condition bypasses the entire SSRF protection.

Evidence: Line 44: const addresses = await dns.lookup(parsedUrl.hostname, { all: true }); - resolves DNS for validation. Line 54: const resp = await axios.get(url); - axios resolves the hostname AGAIN independently. The resolved addresses from line 44 are not passed to the axios call. The comment on lines 42-43 states this is to 'prevent DNS rebinding' but the implementation doesn't actually prevent it.

  • Issue 2: Server-Side Request Forgery (SSRF)
    • Location: index.js:8-16
    • Score: MEDIUM (65.0)
    • Description: The isPrivateIp function (introduced in this PR) is designed to detect private/internal IP addresses, presumably to protect against Server-Side Request Forgery (SSRF) attacks — as evidenced by the accompanying imports of axios (HTTP client), URL (URL parsing), and dns.promises (DNS resolution). However, the function fails to detect IPv4-mapped IPv6 addresses such as ::ffff:10.0.0.1, ::ffff:192.168.1.1, or ::ffff:127.0.0.1. When an attacker provides a hostname or URL that resolves to or uses this IPv6 format, the function returns false (not private), allowing requests to internal network resources (e.g., cloud metadata services, internal databases, Redis, internal APIs) that should be blocked. This bypasses the intended SSRF protection entirely.

Evidence: The isPrivateIp function at lines 8-16 checks for: ::1, /^127\./, /^10\./, /^192\.168\./, /^172\.(1[6-9]|2[0-9]|3[0-1])\./, fc*, fd*, fe80:*. None of these patterns match IPv4-mapped IPv6 addresses like ::ffff:10.0.0.1. For example, isPrivateIp('::ffff:10.0.0.1') would return false despite 10.0.0.1 being a private IPv4 address. The function is introduced alongside axios, URL, and dns.promises imports, indicating it is intended for SSRF protection in URL-fetching endpoints.

  • Issue 3: Information Disclosure
    • Location: index.js:57
    • Score: LOW (26.0)
    • Description: The error handler on line 57 returns the raw error message (e.message) to the caller via res.status(500).send(e.message). When the axios.get(url) request fails, the error message may contain sensitive information about the internal network, service banners, hostnames, or other details. This information disclosure aids attackers in reconnaissance of the internal infrastructure.

Evidence: Line 57: res.status(500).send(e.message); - The raw error message from a failed axios request is sent directly to the attacker. Error messages can include connection refused details, DNS resolution failures revealing internal hostnames, TLS errors revealing service details, etc.

Security Overview
Detected Code Changes
Change Type Relevant files
Enhancement ► browser.js
    Add function to execute user scripts
► index.js
    Implement Express server with /fetch route
    Add IP address validation and DNS resolution for fetched URLs
► index.php
    Add PHP file to display GET parameter

Comment thread index.js
Comment on lines +54 to +55
const resp = await axios.get(url);
res.send(resp.data);

@zeropath-ai-staging zeropath-ai-staging Bot Jun 22, 2026

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

SSRF: /fetch endpoint does not validate redirect targets (Severity: MEDIUM)

Server-side request forgery (SSRF) can occur because the /fetch endpoint does not validate redirect targets, allowing attackers to access internal services. While the initial URL is checked, an attacker can host a server that redirects to internal resources, such as http://127.0.0.1:6379. This bypasses SSRF protections because axios on line 54 follows redirects by default, resulting in sensitive data from internal services being returned to the attacker via res.send(resp.data) on line 55.
View details in ZeroPath

Suggested change
const resp = await axios.get(url);
res.send(resp.data);
const resp = await axios.get(url, { maxRedirects: 0 });
res.send(resp.data);

💬 Reply @zeropath-ai false-positive because … or @zeropath-ai accepted-risk because … to triage this finding, or ask it any question.

All commands

@msaleemzp

Copy link
Copy Markdown
Contributor Author

@zeropath-ai rescan force

@zeropath-ai

zeropath-ai Bot commented Jun 22, 2026

Copy link
Copy Markdown

Failed to trigger rescan due to an internal error.

1 similar comment
@zeropath-ai-moe

Copy link
Copy Markdown

Failed to trigger rescan due to an internal error.

@zeropath-ai-staging

Copy link
Copy Markdown

Rescan started for this PR.

@msaleemzp

Copy link
Copy Markdown
Contributor Author

@zeropath-ai-staging rescan force

@zeropath-ai-staging

Copy link
Copy Markdown

Rescan started for this PR.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant