Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Prevent SSRF #692

Merged
merged 8 commits into from
Mar 9, 2022
Merged

Prevent SSRF #692

merged 8 commits into from
Mar 9, 2022

Conversation

shargon
Copy link
Member

@shargon shargon commented Feb 26, 2022

Fix #693

@erikzhang
Copy link
Member

@shargon @vang1ong7ang Please check #694

if (entry.IsInternal())
return (OracleResponseCode.Forbidden, null);
}
goto download;
Copy link

@vang1ong7ang vang1ong7ang Mar 2, 2022

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

would this result in infinite redirections?

infinite redirections will be stopped by the timeout

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Me can add a max-redirect

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Which timeout stops infinite redirections in the current implementation?

Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Which timeout stops infinite redirections in the current implementation?

It seems that no timeout will stop the infinite redirections now.

@vang1ong7ang
Copy link

dns rebinding should be also considered

@shargon shargon mentioned this pull request Mar 3, 2022
erikzhang pushed a commit that referenced this pull request Apr 21, 2022
* add invoked contract (#657)

* add in file copyright (#679)

* witness rule support (#676)

* Prevent SSRF (#692)

* limit free gas (#697)

* add log when exception happens under debug mode (#690)

* dbft: tune MaxBlock* parameters (#688)

* Fix StateAPI.MakeFindStatesParams (#699)

* update Console to ConsoleHelper (#682)

* refac log (#700)

* Make RpcServer.ProcessAsync public to enable better neo express integration (#701)

* Limit result stack (#696)

* fix MaxBlockSystemFee (#703)

* code optimise (#704)

* Add oracle global timeout (#698)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

7 participants