Merge pull request #6 from IncludeSecurity/fqdn_fixes

FQDN fixes
IncludeSecurity · Jun 23, 2023 · c4f9677 · c4f9677
2 parents eca8740 + 12d48c3
commit c4f9677
Show file tree

Hide file tree

Showing 5 changed files with 24 additions and 7 deletions.
diff --git a/README.md b/README.md
@@ -2,7 +2,9 @@
 ### Ported by [@nicolasrod](https://github.com/nicolasrod) and docs by [@momopranto](https://github.com/momopranto)
 
 ## Overview
-SafeURL is a library that aids developers in protecting against a class of vulnerabilities known as [Server Side Request Forgery](http://www.acunetix.com/blog/articles/server-side-request-forgery-vulnerability/). It does this by validating each part of the URL against a configurable white or black list before making an HTTP request. SafeURL is open-source and licensed under MIT.
+SafeURL is a library that aids developers in protecting against a class of vulnerabilities known as [Server Side Request Forgery (SSRF)](http://www.acunetix.com/blog/articles/server-side-request-forgery-vulnerability/). It does this by validating each part of the URL against a configurable white or black list before making an HTTP request. SafeURL is open-source and licensed under MIT.
+
+Note that for mitigating SSRF vulnerabilities, we first recommend routing outbound requests from your infrastructure through a proxy such as [Smokescreen](https://github.com/stripe/smokescreen). Alternately, ensure that all services which can make outbound requests to potentially user-controlled URLs are firewalled from talking to other internal hosts. Application-layer defences such as this library should only be used if those options are not practical. Please see [our blog post](https://blog.includesecurity.com/2023/03/mitigating-ssrf-in-2023/) for further information.
 
 ## Installation
 Clone this repository and import it into your project.

diff --git a/pyproject.toml b/pyproject.toml
@@ -1,12 +1,12 @@
 [project]
 name = "SafeURL-Python"
-version="1.2"
+version="1.3"
 description="SafeURL is a library that aids developers in protecting against a class of vulnerabilities known as Server Side Request Forgery."
 readme="README.md"
-dependencies = [
-    "pycurl",
-    "netaddr"
-]
+dynamic = ["dependencies"]
+
+[tool.setuptools.dynamic]
+dependencies = {file = ["requirements.txt"]}
 
 [project.urls]
 "Homepage" = "https://github.com/IncludeSecurity/safeurl-python"
diff --git a/requirements.txt b/requirements.txt
@@ -1 +1,2 @@
+netaddr
 pycurl
diff --git a/safeurl/safeurl.py b/safeurl/safeurl.py
@@ -197,7 +197,7 @@ def isInList(self, lst, type_, value):
 
         if type_ == "domain":
             for domain in dst:
-                if domain.lower() == value.lower():
+                if domain.lower().strip(".") == value.lower().strip("."):
                     return True
             return False
         else:

diff --git a/safeurl/safeurl_tests.py b/safeurl/safeurl_tests.py
@@ -68,3 +68,17 @@
     print("Error:", sys.exc_info())
 
 
+# fqdn
+try:
+    sc = safeurl.SafeURL()
+
+    opt = safeurl.Options()
+    opt.setList("blacklist", ["example.com"], "domain")
+    sc.setOptions(opt)
+
+    res = sc.execute("https://example.com.")
+
+except:
+    print("Error:", sys.exc_info())
+
+