diff --git a/.github/workflows/qa-tests.yml b/.github/workflows/qa-tests.yml index 90ce5716..ce01cadd 100644 --- a/.github/workflows/qa-tests.yml +++ b/.github/workflows/qa-tests.yml @@ -49,4 +49,4 @@ jobs: dockerfile_path: ./zen-demo-java/Dockerfile app_port: 8080 sleep_before_test: 30 - skip_tests: test_ssrf,test_stored_ssrf,test_demo_apps_generic_tests + skip_tests: test_ssrf,test_demo_apps_generic_tests diff --git a/agent_api/src/main/java/dev/aikido/agent_api/vulnerabilities/ssrf/imds/BlockList.java b/agent_api/src/main/java/dev/aikido/agent_api/vulnerabilities/ssrf/imds/BlockList.java deleted file mode 100644 index f56d9043..00000000 --- a/agent_api/src/main/java/dev/aikido/agent_api/vulnerabilities/ssrf/imds/BlockList.java +++ /dev/null @@ -1,37 +0,0 @@ -package dev.aikido.agent_api.vulnerabilities.ssrf.imds; - - -import java.util.HashSet; -import java.util.Set; - -public class BlockList { - /** A list of IPs that shouldn't be accessed */ - private final Set blockedIPv4Addresses; - private final Set blockedIPv6Addresses; - - public BlockList() { - this.blockedIPv4Addresses = new HashSet<>(); - this.blockedIPv6Addresses = new HashSet<>(); - } - - /** Add an address to this list */ - public void addAddress(String address, String addressType) { - if ("ipv4".equals(addressType)) { - blockedIPv4Addresses.add(address); - } else if ("ipv6".equals(addressType)) { - blockedIPv6Addresses.add(address); - } - } - - /** Check if the IP is on the list */ - public boolean check(String address, String addressType) { - if (addressType != null) { - if ("ipv4".equals(addressType)) { - return blockedIPv4Addresses.contains(address); - } else if ("ipv6".equals(addressType)) { - return blockedIPv6Addresses.contains(address); - } - } - return blockedIPv4Addresses.contains(address) || blockedIPv6Addresses.contains(address); - } -} \ No newline at end of file diff --git a/agent_api/src/main/java/dev/aikido/agent_api/vulnerabilities/ssrf/imds/IMDSAddresses.java b/agent_api/src/main/java/dev/aikido/agent_api/vulnerabilities/ssrf/imds/IMDSAddresses.java index d9cf0bd5..225a6e7c 100644 --- a/agent_api/src/main/java/dev/aikido/agent_api/vulnerabilities/ssrf/imds/IMDSAddresses.java +++ b/agent_api/src/main/java/dev/aikido/agent_api/vulnerabilities/ssrf/imds/IMDSAddresses.java @@ -1,20 +1,25 @@ package dev.aikido.agent_api.vulnerabilities.ssrf.imds; +import dev.aikido.agent_api.helpers.net.IPList; +import static dev.aikido.agent_api.vulnerabilities.ssrf.IsPrivateIP.mapIPv4ToIPv6; + public final class IMDSAddresses { private IMDSAddresses() {} - private static final BlockList imdsAddresses = new BlockList(); + private static final IPList imdsAddresses = new IPList(); static { // Add the IP addresses used by AWS EC2 instances for IMDS - imdsAddresses.addAddress("169.254.169.254", "ipv4"); - imdsAddresses.addAddress("fd00:ec2::254", "ipv6"); + imdsAddresses.add("169.254.169.254"); + imdsAddresses.add("fd00:ec2::254"); + imdsAddresses.add(mapIPv4ToIPv6("169.254.169.254")); // Add the IP addresses used for Alibaba Cloud - imdsAddresses.addAddress("100.100.100.200", "ipv4"); + imdsAddresses.add("100.100.100.200"); + imdsAddresses.add(mapIPv4ToIPv6("100.100.100.200")); } /** Checks if the IP is an IMDS IP */ public static boolean isImdsIpAddress(String ip) { - return imdsAddresses.check(ip, "ipv4") || imdsAddresses.check(ip, "ipv6"); + return imdsAddresses.matches(ip); } } diff --git a/agent_api/src/test/java/vulnerabilities/ssrf/BlockListTest.java b/agent_api/src/test/java/vulnerabilities/ssrf/BlockListTest.java deleted file mode 100644 index 5ee90546..00000000 --- a/agent_api/src/test/java/vulnerabilities/ssrf/BlockListTest.java +++ /dev/null @@ -1,100 +0,0 @@ -package vulnerabilities.ssrf; - - -import dev.aikido.agent_api.vulnerabilities.ssrf.imds.BlockList; -import org.junit.jupiter.api.BeforeEach; -import org.junit.jupiter.api.Test; - -import static org.junit.jupiter.api.Assertions.assertFalse; -import static org.junit.jupiter.api.Assertions.assertTrue; - -class BlockListTest { - - private BlockList blockList; - - @BeforeEach - void setUp() { - blockList = new BlockList(); - } - - @Test - void testAddIPv4Address() { - blockList.addAddress("192.168.1.1", "ipv4"); - assertTrue(blockList.check("192.168.1.1", "ipv4"), "IPv4 address should be blocked"); - assertTrue(blockList.check("192.168.1.1", "unknown"), "IPv4 address should be blocked"); - } - - @Test - void testAddIPv6Address() { - blockList.addAddress("2001:0db8:85a3:0000:0000:8a2e:0370:7334", "ipv6"); - assertTrue(blockList.check("2001:0db8:85a3:0000:0000:8a2e:0370:7334", "ipv6"), "IPv6 address should be blocked"); - assertTrue(blockList.check("2001:0db8:85a3:0000:0000:8a2e:0370:7334", "unknown"), "IPv6 address should be blocked"); - - } - - @Test - void testAddIPv8AddressDoesNotWork() { - blockList.addAddress("2001:0db8:85a3:0000:0000:8a2e:0370:7334", "ipv8"); - assertFalse(blockList.check("2001:0db8:85a3:0000:0000:8a2e:0370:7334", "ipv4")); - assertFalse(blockList.check("2001:0db8:85a3:0000:0000:8a2e:0370:7334", "ipv6")); - assertFalse(blockList.check("2001:0db8:85a3:0000:0000:8a2e:0370:7334", "ipv8")); - } - - @Test - void testCheckBlockedIPv4Address() { - blockList.addAddress("10.0.0.1", "ipv4"); - assertTrue(blockList.check("10.0.0.1", "ipv4"), "IPv4 address should be blocked"); - } - - @Test - void testCheckBlockedIPv6Address() { - blockList.addAddress("::1", "ipv6"); - assertTrue(blockList.check("::1", "ipv6"), "IPv6 address should be blocked"); - } - - @Test - void testCheckUnblockedIPv4Address() { - blockList.addAddress("192.168.1.1", "ipv4"); - assertFalse(blockList.check("192.168.1.2", "ipv4"), "IPv4 address should not be blocked"); - } - - @Test - void testCheckUnblockedIPv6Address() { - blockList.addAddress("2001:0db8:85a3:0000:0000:8a2e:0370:7334", "ipv6"); - assertFalse(blockList.check("2001:0db8:85a3:0000:0000:8a2e:0370:7335", "ipv6"), "IPv6 address should not be blocked"); - } - - @Test - void testCheckNullAddressType() { - blockList.addAddress("192.168.1.1", "ipv4"); - assertTrue(blockList.check("192.168.1.1", null), "IPv4 address should be blocked when checking with null type"); - } - - @Test - void testCheckEmptyAddress() { - assertFalse(blockList.check("", "ipv4"), "Empty address should not be blocked"); - assertFalse(blockList.check("", "ipv6"), "Empty address should not be blocked"); - } - - @Test - void testAddDuplicateIPv4Address() { - blockList.addAddress("192.168.1.1", "ipv4"); - blockList.addAddress("192.168.1.1", "ipv4"); // Adding duplicate - assertTrue(blockList.check("192.168.1.1", "ipv4"), "IPv4 address should still be blocked"); - } - - @Test - void testAddDuplicateIPv6Address() { - blockList.addAddress("2001:0db8:85a3:0000:0000:8a2e:0370:7334", "ipv6"); - blockList.addAddress("2001:0db8:85a3:0000:0000:8a2e:0370:7334", "ipv6"); // Adding duplicate - assertTrue(blockList.check("2001:0db8:85a3:0000:0000:8a2e:0370:7334", "ipv6"), "IPv6 address should still be blocked"); - } - - @Test - void testCheckBlockedIPv4AndIPv6() { - blockList.addAddress("192.168.1.1", "ipv4"); - blockList.addAddress("::1", "ipv6"); - assertTrue(blockList.check("192.168.1.1", "ipv4"), "IPv4 address should be blocked"); - assertTrue(blockList.check("::1", "ipv6"), "IPv6 address should be blocked"); - } -} \ No newline at end of file diff --git a/agent_api/src/test/java/vulnerabilities/ssrf/ResolverTest.java b/agent_api/src/test/java/vulnerabilities/ssrf/ResolverTest.java index 98e58ab8..363ae06b 100644 --- a/agent_api/src/test/java/vulnerabilities/ssrf/ResolverTest.java +++ b/agent_api/src/test/java/vulnerabilities/ssrf/ResolverTest.java @@ -27,6 +27,22 @@ void testResolvesToImdsIp_WithImdsIp() { assertEquals("169.254.169.254", Resolver.resolvesToImdsIp(resolvedIps, "example.com")); } + @Test + void testResolvesToImdsIp_WithIpv4MappedIP() { + Set resolvedIps = new HashSet<>(); + resolvedIps.add("::ffff:169.254.169.254"); // IMDS IP + + assertEquals("::ffff:169.254.169.254", Resolver.resolvesToImdsIp(resolvedIps, "example.com")); + } + + @Test + void testResolvesToImdsIp_WithIpv4MappedIP2() { + Set resolvedIps = new HashSet<>(); + resolvedIps.add("::ffff:100.100.100.200"); // IMDS IP + + assertEquals("::ffff:100.100.100.200", Resolver.resolvesToImdsIp(resolvedIps, "example.com")); + } + @Test void testDoesntResolveToImdsIp_WithHostnameImdsIp() { Set resolvedIps = new HashSet<>();