oracle service vulnerability: local information leak

[vang1ong7ang]

the following way of avoiding local access is not enough:

https://github.com/neo-project/neo-modules/blob/32aacc468ad43600817daabbec834e715017d962/src/OracleService/Protocols/OracleHttpsProtocol.cs#L41-L46

since a remote server is able to return a redirect response whose target is https://local-address/x.

original issue https://github.com/neo-project/neo/issues/2662

[vang1ong7ang]

and actually i don't think any of current solution (#692, #694) 100% works. (although i prefer #692 because it actually avoid the request happening)

because they cannot avoid dns rebinding attack

[vang1ong7ang]

to prevent ssrf and dns rebinding, i suggested customizing http.Transport in nspcc/neo-go which is a reliable solution easily searched.

still haven't find any easy solution on dotnet. probably we need a new httpsclient 🌚

(too many years, no answer) https://stackoverflow.com/questions/58391775/how-to-prevent-ssrf-in-net