add index

[msaleemzp]

No description provided.

[zeropath-ai-staging]

🟡 3 security issues detected below the blocking threshold. Reviewed everything up to f4f9209.

The following issues were found:

• Issue 1: Server-Side Request Forgery (SSRF)

  • Location: index.js:42-54
  • Score: MEDIUM (67.0)
  • Description: The code claims to prevent DNS rebinding (line 42-43 comment: 'DNS resolution to prevent DNS rebinding'), but the implementation is flawed. The DNS lookup on line 44 resolves the hostname to check if addresses are private, but the resolved addresses are NOT used for the actual request. Instead, line 54 calls axios.get(url) which performs its own independent DNS resolution. An attacker who controls the DNS server for the target hostname can initially return a public IP (passing the private IP check on lines 45-48), then return a private IP (e.g., 127.0.0.1) when axios resolves the hostname milliseconds later. This TOCTOU race condition bypasses the entire SSRF protection.

Evidence: Line 44: const addresses = await dns.lookup(parsedUrl.hostname, { all: true }); - resolves DNS for validation. Line 54: const resp = await axios.get(url); - axios resolves the hostname AGAIN independently. The resolved addresses from line 44 are not passed to the axios call. The comment on lines 42-43 states this is to 'prevent DNS rebinding' but the implementation doesn't actually prevent it.

• Link to UI: https://staging.branch.zeropath.com/app/issues/2f2282dc-23a9-4fc6-9d7a-5aa3a1144309 (Issue 1, id: 2f2282dc-23a9-4fc6-9d7a-5aa3a1144309)

• Issue 2: Server-Side Request Forgery (SSRF)

  • Location: index.js:8-16
  • Score: MEDIUM (65.0)
  • Description: The isPrivateIp function (introduced in this PR) is designed to detect private/internal IP addresses, presumably to protect against Server-Side Request Forgery (SSRF) attacks — as evidenced by the accompanying imports of axios (HTTP client), URL (URL parsing), and dns.promises (DNS resolution). However, the function fails to detect IPv4-mapped IPv6 addresses such as ::ffff:10.0.0.1, ::ffff:192.168.1.1, or ::ffff:127.0.0.1. When an attacker provides a hostname or URL that resolves to or uses this IPv6 format, the function returns false (not private), allowing requests to internal network resources (e.g., cloud metadata services, internal databases, Redis, internal APIs) that should be blocked. This bypasses the intended SSRF protection entirely.

Evidence: The isPrivateIp function at lines 8-16 checks for: ::1, /^127\./, /^10\./, /^192\.168\./, /^172\.(1[6-9]|2[0-9]|3[0-1])\./, fc*, fd*, fe80:*. None of these patterns match IPv4-mapped IPv6 addresses like ::ffff:10.0.0.1. For example, isPrivateIp('::ffff:10.0.0.1') would return false despite 10.0.0.1 being a private IPv4 address. The function is introduced alongside axios, URL, and dns.promises imports, indicating it is intended for SSRF protection in URL-fetching endpoints.

• Link to UI: https://staging.branch.zeropath.com/app/issues/a858d1f1-5254-46cf-9216-9da3fe912d31 (Issue 2, id: a858d1f1-5254-46cf-9216-9da3fe912d31)

• Issue 3: Information Disclosure

  • Location: index.js:57
  • Score: LOW (26.0)
  • Description: The error handler on line 57 returns the raw error message (e.message) to the caller via res.status(500).send(e.message). When the axios.get(url) request fails, the error message may contain sensitive information about the internal network, service banners, hostnames, or other details. This information disclosure aids attackers in reconnaissance of the internal infrastructure.

Evidence: Line 57: res.status(500).send(e.message); - The raw error message from a failed axios request is sent directly to the attacker. Error messages can include connection refused details, DNS resolution failures revealing internal hostnames, TLS errors revealing service details, etc.

• Link to UI: https://staging.branch.zeropath.com/app/issues/888ae07e-648f-49f8-beca-c686ef746173 (Issue 3, id: 888ae07e-648f-49f8-beca-c686ef746173)

Security Overview

• 🔎 Scanned files: 3 changed file(s)
• 🔗 Scan Link: https://staging.branch.zeropath.com/app/repositories/a608076c-86e5-4360-af4f-28d821527ebc?scanId=96a77804-d03e-43c3-9bd2-f0b8bde39ecc&codeScanTypes=PrScan&tab=issues

Detected Code Changes

Change Type	Relevant files
Enhancement	► browser.js     Add function to execute user scripts ► index.js     Implement Express server with /fetch route     Add IP address validation and DNS resolution for fetched URLs ► index.php     Add PHP file to display GET parameter

[zeropath-ai-staging]

SSRF: /fetch endpoint does not validate redirect targets (Severity: MEDIUM)

Server-side request forgery (SSRF) can occur because the /fetch endpoint does not validate redirect targets, allowing attackers to access internal services. While the initial URL is checked, an attacker can host a server that redirects to internal resources, such as http://127.0.0.1:6379. This bypasses SSRF protections because axios on line 54 follows redirects by default, resulting in sensitive data from internal services being returned to the attacker via res.send(resp.data) on line 55.
_{View details in ZeroPath}

Suggested change

	const resp = await axios.get(url);
	res.send(resp.data);
	const resp = await axios.get(url, { maxRedirects: 0 });
	res.send(resp.data);

---

_{💬 Reply @zeropath-ai false-positive because … or @zeropath-ai accepted-risk because … to triage this finding, or ask it any question.}

_{All commands}

[msaleemzp]

@zeropath-ai rescan force

[zeropath-ai]

Failed to trigger rescan due to an internal error.

[zeropath-ai-moe]

Failed to trigger rescan due to an internal error.

[zeropath-ai-staging]

Rescan started for this PR.

[msaleemzp]

@zeropath-ai-staging rescan force

[zeropath-ai-staging]

Rescan started for this PR.