Bypassing domain deny_list rule in Smokescreen via trailing dot leads to SSRF

The Smokescreen proxy is an open source project written and maintained by Stripe to restrict the URLs that internal services can connect to. The primary use case for Smokescreen is to prevent server-side request forgery (SSRF) attacks in which external attackers leverage the behavior of our applications to connect to or scan Stripe's internal infrastructure. More information on Smokescreen can be found on its GitHub page at https://github.com/stripe/smokescreen. Smokescreen also offers an option to deny access to additional (e.g. external) URLs by way of a deny list. This report identified an issue which made it possible to bypass the deny list feature by appending a dot to the end of user-supplied URLs. While the deny list is not a primary security feature, we were excited to see research targeting Smokescreen since it is a critical piece of our internal security controls, and a piece of software that is used beyond Stripe. Improvements here have the potential for a broader positive impact.