Merge pull request #200 from AikidoSec/service-hostnames-dont-allow-numbers

bitterpanda63 · web-flow · commit 1e3e32e5f2a0 · 2025-07-22T11:16:59.000Z
diff --git a/agent_api/src/main/java/dev/aikido/agent_api/vulnerabilities/ssrf/RequestToServiceHostnameChecker.java b/agent_api/src/main/java/dev/aikido/agent_api/vulnerabilities/ssrf/RequestToServiceHostnameChecker.java
@@ -4,8 +4,8 @@
 import java.util.regex.Pattern;
 
 public final class RequestToServiceHostnameChecker {
-    // Pattern allows alphanumerical input (case-insensitive), dashes (-) and underscores (_)
-    private static final Pattern SERVICE_HOSTNAME_PATTERN = Pattern.compile("^[a-zA-Z0-9-_]+$");
+    // Pattern allows alpha input (case-insensitive), dashes (-) and underscores (_)
+    private static final Pattern SERVICE_HOSTNAME_PATTERN = Pattern.compile("^[a-zA-Z-_]+$");
     private static final List ALLOWED_LOCALHOST_VARIANTS = List.of(
         "localhost", "localdomain"
     );
diff --git a/agent_api/src/test/java/vulnerabilities/ssrf/RequestToServiceHostnameCheckerTest.java b/agent_api/src/test/java/vulnerabilities/ssrf/RequestToServiceHostnameCheckerTest.java
@@ -13,9 +13,9 @@ class RequestToServiceHostnameCheckerTest {
     void testValidHostnames() {
         assertTrue(RequestToServiceHostnameChecker.isRequestToServiceHostname("valid_hostname"));
         assertTrue(RequestToServiceHostnameChecker.isRequestToServiceHostname("valid-hostname"));
-        assertTrue(RequestToServiceHostnameChecker.isRequestToServiceHostname("valid123"));
+        assertFalse(RequestToServiceHostnameChecker.isRequestToServiceHostname("valid123"));
         assertTrue(RequestToServiceHostnameChecker.isRequestToServiceHostname("hostname_with_underscores-and-dashes"));
-        assertTrue(RequestToServiceHostnameChecker.isRequestToServiceHostname("123456"));
+        assertFalse(RequestToServiceHostnameChecker.isRequestToServiceHostname("123456"));
         assertTrue(RequestToServiceHostnameChecker.isRequestToServiceHostname("a-b_c"));
     }
 
@@ -92,6 +92,9 @@ void testAllowedIPv6Addresses() {
         assertFalse(RequestToServiceHostnameChecker.isRequestToServiceHostname("2001:0db8:85a3:0000:0000:8a2e:0370:7334"));
         assertFalse(RequestToServiceHostnameChecker.isRequestToServiceHostname("::1"));
         assertFalse(RequestToServiceHostnameChecker.isRequestToServiceHostname("::ffff:192.168.1.1"));
+        assertFalse(RequestToServiceHostnameChecker.isRequestToServiceHostname("2130706433"));
+        assertFalse(RequestToServiceHostnameChecker.isRequestToServiceHostname("127.1"));
+        assertFalse(RequestToServiceHostnameChecker.isRequestToServiceHostname("0"));
     }
 
     @Test
