Skip to content

Commit ea6f900

Browse files
committed
add ipv4-mapped ipv6 addresses to imds check
1 parent 82ed1e0 commit ea6f900

File tree

2 files changed

+13
-26
lines changed

2 files changed

+13
-26
lines changed

aikido_zen/vulnerabilities/ssrf/imds.py

Lines changed: 9 additions & 26 deletions
Original file line numberDiff line numberDiff line change
@@ -3,41 +3,24 @@
33
is_imds_ip_address, is_trusted_hostname, resolves_to_imds_ip
44
"""
55

6+
from aikido_zen.helpers.ip_matcher import IPMatcher
7+
from aikido_zen.helpers.ip_matcher.map_ipv4_to_ipv6 import map_ipv4_to_ipv6
68

7-
class BlockList:
8-
"""A list of IP's that shouldn't be accessed"""
9-
10-
def __init__(self):
11-
self.blocked_addresses = {"ipv4": set(), "ipv6": set()}
12-
13-
def add_address(self, address, address_type):
14-
"""Add an address to this list"""
15-
if address_type in self.blocked_addresses:
16-
self.blocked_addresses[address_type].add(address)
17-
18-
def check(self, address, address_type=None):
19-
"""Check if the IP is on the list"""
20-
if address_type:
21-
return address in self.blocked_addresses.get(address_type, set())
22-
return any(
23-
address in addresses for addresses in self.blocked_addresses.values()
24-
)
25-
26-
27-
# Create an instance of BlockList
28-
imds_addresses = BlockList()
9+
imds_addresses = IPMatcher()
2910

3011
# Block the IP addresses used by AWS EC2 instances for IMDS
31-
imds_addresses.add_address("169.254.169.254", "ipv4")
32-
imds_addresses.add_address("fd00:ec2::254", "ipv6")
12+
imds_addresses.add("169.254.169.254")
13+
imds_addresses.add("fd00:ec2::254")
14+
imds_addresses.add(map_ipv4_to_ipv6("169.254.169.254"))
3315

3416
# Block the IP address used by Alibaba Cloud
35-
imds_addresses.add_address("100.100.100.200", "ipv4")
17+
imds_addresses.add("100.100.100.200")
18+
imds_addresses.add(map_ipv4_to_ipv6("100.100.100.200"))
3619

3720

3821
def is_imds_ip_address(ip):
3922
"""Checks if the IP is an imds ip"""
40-
return imds_addresses.check(ip) or imds_addresses.check(ip, "ipv6")
23+
return imds_addresses.has(ip)
4124

4225

4326
# Trusted hostnames for Google Cloud

aikido_zen/vulnerabilities/ssrf/imds_test.py

Lines changed: 4 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -6,12 +6,16 @@ def test_returns_true_for_imds_ip_addresses():
66
assert is_imds_ip_address("169.254.169.254") is True
77
assert is_imds_ip_address("fd00:ec2::254") is True
88

9+
910
def test_returns_false_for_non_imds_ip_addresses():
1011
assert is_imds_ip_address("1.2.3.4") is False
1112
assert is_imds_ip_address("example.com") is False
1213

14+
1315
def test_is_imds_ip_address_ipv6_mapped():
1416
assert is_imds_ip_address("::ffff:169.254.169.254") is True
17+
assert is_imds_ip_address("::ffff:100.100.100.200") is True
18+
1519

1620
# --- Tests ---
1721
def test_trusted_hostname_returns_none():

0 commit comments

Comments
 (0)