Skip to content

A Server Side Request Forgery (SSRF) protection library. Made with 🖤 by Doyensec LLC.

License

Notifications You must be signed in to change notification settings

doyensec/safeurl

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

14 Commits
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 

Repository files navigation

safeurl

A Go library created to help developers protect their applications from Server Side Request Forgery (SSRF) attacks. It implements a safeurl.Client wrapper around Go's native net/http.Client and performs validation on the incoming request against the configured allow and block lists. It also implements mitigation for DNS rebinding attacks.

Configuration options

The safeurl.Client can be configured through the safeurl.Config struct. It enables configuration of the following options:

AllowedPorts                    - list of ports the application is allowed to connect to
AllowedSchemes                  - list of schemas the application can use
AllowedHosts                    - list of hosts the application is allowed to communicate with
BlockedIPs                      - list of IP addresses the application is not allowed to connect to
AllowedIPs                      - list of IP addresses the application is allowed to connect to
AllowedCIDR                     - list of CIDR ranges the application is allowed to connect to
BlockedCIDR                     - list of CIDR ranges the application is not allowed to connect to

IsIPv6Enabled                   - specifies wether communication through IPv6 is enabled
AllowSendingCredentials         - specifies wether HTTP credentials should be sent

IsDebugLoggingEnabled          - enables debug logs

How to use the safeurl.Client?

First, you need to include the safeurl module. To do that, simply add github.com/doyensec/safeurl to your project's go.mod file.

Sample:

import (
    "fmt"
    "github.com/doyensec/safeurl"
)

func main() {
    config := safeurl.GetConfigBuilder().
        SetAllowedHosts("example.com").
        Build()

    client := safeurl.Client(config)

    resp, err := client.Get("https://example.com")
    if err != nil {
        fmt.Errorf("request return error: %v", err)
    }

    // read response body
}

Running tests

To successfully run all the unit tests, you will need to run a local DNS and HTTP server. That can be done by executing the following command:

go run testing/servers.go

Once the servers are up and running, the unit test can be ran with:

go test -v

Credits

This tool has been created by Viktor Chuchurski and Alessandro Cotto of Doyensec LLC during our 25% research time.

Doyensec Research

About

A Server Side Request Forgery (SSRF) protection library. Made with 🖤 by Doyensec LLC.

Topics

Resources

License

Security policy

Stars

Watchers

Forks

Contributors 3

  •  
  •  
  •  

Languages