Fix incorrect hostname suffix matching in no_proxy handling (prevents proxy bypass)#41915
Open
manan2212 wants to merge 2 commits intogrpc:masterfrom
Open
Fix incorrect hostname suffix matching in no_proxy handling (prevents proxy bypass)#41915manan2212 wants to merge 2 commits intogrpc:masterfrom
manan2212 wants to merge 2 commits intogrpc:masterfrom
Conversation
… proxy bypass / SSRF)
The current implementation of hostname matching in no_proxy logic uses a naive suffix check:
absl::EndsWithIgnoreCase(host_name, host_name_or_domain)
This can incorrectly match unrelated domains:
- evilcorp.example.com matches corp.example.com
- notexample.com matches example.com
This behavior deviates from standard no_proxy implementations and can lead to proxy bypass and potential SSRF or policy evasion.
## Fix
This patch replaces suffix matching with boundary-aware domain validation:
- Exact match for normal entries
- Proper subdomain matching only for dot-prefixed entries
## Security Impact
Prevents:
- Proxy bypass
- SSRF amplification
- Security control evasion
murgatroid99
added
release notes: yes
Member
|
Can you also update the documentation here to match the modified behavior? |
murgatroid99
requested changes
Apr 3, 2026
Member
murgatroid99
left a comment
murgatroid99
left a comment
There was a problem hiding this comment.
Please run the formatter (tools/distrib/clang_format_code.sh) or directly apply the changes from this test result
apply clang-format
Author
|
I did required changes. Please let me know if i missed anything else. |
Author
|
Sorry, I closed the PR by mistake!! |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
The current implementation of hostname matching in
no_proxylogic uses a naive suffix check:absl::EndsWithIgnoreCase(host_name, host_name_or_domain)This can incorrectly match unrelated domains:
evilcorp.example.commatchescorp.example.comnotexample.commatchesexample.comThis behavior deviates from standard
no_proxyimplementations and can lead to proxy bypass or policy evasion.Fix
This patch replaces suffix matching with boundary-aware domain validation:
Security Impact
Prevents: