oracle service vulnerability: local information leak

[vang1ong7ang]

the following way of avoiding local access is not enough:

neo-modules/src/OracleService/Protocols/OracleHttpsProtocol.cs

Lines 41 to 46 in 32aacc4

	if (!Settings.Default.AllowPrivateHost)
	{
	IPHostEntry entry = await Dns.GetHostEntryAsync(uri.Host);
	if (entry.IsInternal())
	return (OracleResponseCode.Forbidden, null);
	}

since a remote server is able to return a redirect response whose target is https://local-address/x.

original issue neo-project/neo#2662

[vang1ong7ang]

and actually i don't think any of current solution (#692, #694) 100% works. (although i prefer #692 because it actually avoid the request happening)

because they cannot avoid dns rebinding attack

[vang1ong7ang]

to prevent ssrf and dns rebinding, i suggested customizing http.Transport in nspcc/neo-go which is a reliable solution easily searched.

still haven't find any easy solution on dotnet. probably we need a new httpsclient 🌚

(too many years, no answer)
https://stackoverflow.com/questions/58391775/how-to-prevent-ssrf-in-net