Stripe: Bypass global deny-lists by wrapping domains using "[]" in https://github.com/stripe/smokescreen

The Smokescreen proxy is an open source project written and maintained by Stripe to restrict the URLs that internal services can connect to. The primary use case for Smokescreen is to prevent server-side request forgery (SSRF) attacks in which external attackers leverage the behavior of our applications to connect to or scan Stripe’s internal infrastructure. More information on Smokescreen can be found on its GitHub page at https://github.com/stripe/smokescreen.

Smokescreen also offers an option to deny access to additional (e.g. external) URLs by way of a deny list. This report identified an issue which made it possible to bypass the deny list feature by surrounding the hostname with square brackets, with an optional port appended (e.g. http://[example.com]:80). This issue was fixed in Smokescreen v0.0.4.