Merge pull request #261 from AikidoSec/fix-stored-ssrf-issue

Stored SSRF: Add ipv4-mapped ipv6 addresses

Author: bitterpanda63

.github/workflows/qa-tests.yml

@@ -49,4 +49,4 @@ jobs:
                   dockerfile_path: ./zen-demo-java/Dockerfile
                   app_port: 8080
                   sleep_before_test: 30
-                  skip_tests: test_ssrf,test_stored_ssrf,test_demo_apps_generic_tests
+                  skip_tests: test_ssrf,test_demo_apps_generic_tests

agent_api/src/main/java/dev/aikido/agent_api/vulnerabilities/ssrf/imds/BlockList.java

@@ -1,20 +1,25 @@
 package dev.aikido.agent_api.vulnerabilities.ssrf.imds;
 
+import dev.aikido.agent_api.helpers.net.IPList;
+import static dev.aikido.agent_api.vulnerabilities.ssrf.IsPrivateIP.mapIPv4ToIPv6;
+
 public final class IMDSAddresses {
     private IMDSAddresses() {}
-    private static final BlockList imdsAddresses = new BlockList();
+    private static final IPList imdsAddresses = new IPList();
 
     static {
         // Add the IP addresses used by AWS EC2 instances for IMDS
-        imdsAddresses.addAddress("169.254.169.254", "ipv4");
-        imdsAddresses.addAddress("fd00:ec2::254", "ipv6");
+        imdsAddresses.add("169.254.169.254");
+        imdsAddresses.add("fd00:ec2::254");
+        imdsAddresses.add(mapIPv4ToIPv6("169.254.169.254"));
 
         // Add the IP addresses used for Alibaba Cloud
-        imdsAddresses.addAddress("100.100.100.200", "ipv4");
+        imdsAddresses.add("100.100.100.200");
+        imdsAddresses.add(mapIPv4ToIPv6("100.100.100.200"));
     }
 
     /** Checks if the IP is an IMDS IP */
     public static boolean isImdsIpAddress(String ip) {
-        return imdsAddresses.check(ip, "ipv4") || imdsAddresses.check(ip, "ipv6");
+        return imdsAddresses.matches(ip);
     }
 }

agent_api/src/main/java/dev/aikido/agent_api/vulnerabilities/ssrf/imds/IMDSAddresses.java

@@ -27,6 +27,22 @@ void testResolvesToImdsIp_WithImdsIp() {
         assertEquals("169.254.169.254", Resolver.resolvesToImdsIp(resolvedIps, "example.com"));
     }
 
+    @Test
+    void testResolvesToImdsIp_WithIpv4MappedIP() {
+        Set<String> resolvedIps = new HashSet<>();
+        resolvedIps.add("::ffff:169.254.169.254"); // IMDS IP
+
+        assertEquals("::ffff:169.254.169.254", Resolver.resolvesToImdsIp(resolvedIps, "example.com"));
+    }
+
+    @Test
+    void testResolvesToImdsIp_WithIpv4MappedIP2() {
+        Set<String> resolvedIps = new HashSet<>();
+        resolvedIps.add("::ffff:100.100.100.200"); // IMDS IP
+
+        assertEquals("::ffff:100.100.100.200", Resolver.resolvesToImdsIp(resolvedIps, "example.com"));
+    }
+
     @Test
     void testDoesntResolveToImdsIp_WithHostnameImdsIp() {
         Set<String> resolvedIps = new HashSet<>();