oracle service vulnerability: local infomation leak

[vang1ong7ang]

the following way of avoiding local access is not enough:

https://github.com/neo-project/neo-modules/blob/32aacc468ad43600817daabbec834e715017d962/src/OracleService/Protocols/OracleHttpsProtocol.cs#L41-L46

           if (!Settings.Default.AllowPrivateHost)
            {
                IPHostEntry entry = await Dns.GetHostEntryAsync(uri.Host);
                if (entry.IsInternal())
                    return (OracleResponseCode.Forbidden, null);
            }

since a remote server is able to return a redirect response whose target is https://local-address/x.

[vang1ong7ang]

possible response:

HTTP/1.1 302 Found
Server Cowboy
Connection: keep-alive
Content-Type: text/html; charset=utf-8
Location: https://127.0.0.1:8888/
Content-Length: 45
<a href=" ">Found</a >.

[shargon]

Yes, you are right, I will try to find if it's possible to fix it without removing the forwarding. Give me some hours

[shargon]

I can't transfer the issue to neo-modules, could you create a new one in the right repository @vang1ong7ang ?

[vang1ong7ang]

@shargon sure