Skip to content
Open
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
5 changes: 5 additions & 0 deletions .jules/sentinel.md
Original file line number Diff line number Diff line change
Expand Up @@ -26,3 +26,8 @@
**Vulnerability:** TCP pollers (`aprs.py`, `beast_transport.py`, `cot_receiver.py`) were directly establishing outbound connections (`asyncio.open_connection()`) to user-provided or configurable hostnames/IPs without applying Server-Side Request Forgery (SSRF) validation.
**Learning:** Poller components interacting with external configuration must be treated with the same scrutiny as web endpoints, as they can be weaponized to scan or access internal infrastructure.
**Prevention:** Always wrap hostname/IP targets with `await validate_safe_host(host)` or `await validate_safe_url(url)` via `poller/security.py` before executing outbound requests/TCP connections.

## 2026-07-10 - [Event Loop Blocking DoS via Synchronous SSRF Validation]
**Vulnerability:** In `backend/routers/radio.py`, the `_validate_request_url` event hook used to validate URLs in `httpx.AsyncClient` with `follow_redirects=True` called `validate_safe_url` synchronously. Because `validate_safe_url` performs blocking DNS resolution (`socket.getaddrinfo`), executing it in an async context blocked the backend's main event loop, creating a Denial of Service (DoS) vulnerability.
**Learning:** Using synchronous functions that perform network operations (like DNS resolution) within async event hooks or contexts blocks the asyncio event loop, causing severe latency and potential DoS under load.
**Prevention:** Always offload synchronous blocking calls (such as `socket.getaddrinfo` within SSRF validation) to a separate thread using `await asyncio.get_running_loop().run_in_executor(None, func, *args)` when used within an async context.
4 changes: 3 additions & 1 deletion backend/routers/radio.py
Original file line number Diff line number Diff line change
@@ -1,3 +1,4 @@
import asyncio
import json
from datetime import datetime, timedelta, timezone
from pathlib import Path
Expand Down Expand Up @@ -385,7 +386,8 @@ async def proxy_stream(

async def _validate_request_url(request: httpx.Request):
try:
validate_safe_url(str(request.url))
loop = asyncio.get_running_loop()
await loop.run_in_executor(None, validate_safe_url, str(request.url))
except ValueError as e:
# We raise a RequestError here so httpx catches it instead of crashing.
raise httpx.RequestError(f"SSRF validation failed: {e}", request=request)
Expand Down
Loading