The 0.0.0.0 IP address is a reserved IP. So there is no bypass.
Thanks for submitting PR。
If you hava any questions, please submit issue or pull request.

我又测试了一下发现：运行 python3 -m http.server 9999 , 然后去访问http://127.0.0.1:8080/ssrf/ImageIO_safe?url=http://0.0.0.0:9999 是能够访问的

Serving HTTP on 0.0.0.0 port 9999 (http://0.0.0.0:9999/) ...
192.168.197.1 - - [03/Sep/2019 18:12:45] "GET / HTTP/1.1" 200 -
192.168.197.1 - - [03/Sep/2019 18:12:45] "GET / HTTP/1.1" 200 -
192.168.197.1 - - [03/Sep/2019 18:12:58] "GET / HTTP/1.1" 200 -

当时绑定ip为127.0.0.1的时候 python3 -m http.server -b 127.0.0.1 9999 ,再去访问http://127.0.0.1:8080/ssrf/ImageIO_safe?url=http://0.0.0.0:9999 会显示超时

javax.imageio.IIOException: Can't get input stream from URL!

然后我又试了

• curl
  • curl 'http://0.0.0.0:9999'
• python request
  • 发现还是能够访问

上面都是在mac上测试的, 后来又在linux上测试了一下发现情况一样
我觉得加上0.0.0.0的限制还是好一点