From 98d64184d44eb150c381c87859f7b0342a04da7b Mon Sep 17 00:00:00 2001
From: dead-horse <dead_horse@qq.com>
Date: Mon, 26 Mar 2018 14:22:56 +0800
Subject: [PATCH 1/3] feat: support safeCurl for SSRF protection

---
 README.md                                     | 29 ++++++
 agent.js                                      |  7 ++
 app.js                                        |  3 +
 app/extend/agent.js                           | 19 ++++
 app/extend/application.js                     | 16 +++
 app/extend/context.js                         | 16 +++
 config/config.default.js                      |  5 +
 lib/utils.js                                  | 22 +++++
 .../config/config.default.js                  | 14 +++
 .../apps/ssrf-check-address/package.json      |  3 +
 .../config/config.default.js                  | 11 +++
 .../apps/ssrf-ip-black-list/package.json      |  3 +
 test/ssrf.test.js                             | 98 +++++++++++++++++++
 13 files changed, 246 insertions(+)
 create mode 100644 agent.js
 create mode 100644 app/extend/agent.js
 create mode 100644 test/fixtures/apps/ssrf-check-address/config/config.default.js
 create mode 100644 test/fixtures/apps/ssrf-check-address/package.json
 create mode 100644 test/fixtures/apps/ssrf-ip-black-list/config/config.default.js
 create mode 100644 test/fixtures/apps/ssrf-ip-black-list/package.json
 create mode 100644 test/ssrf.test.js

diff --git a/README.md b/README.md
index 2f41f24..7bf891c 100644
--- a/README.md
+++ b/README.md
@@ -483,6 +483,35 @@ Defaulting to "SAMEORIGIN", only allow iframe embed by same origin.
 
 - disable Defaulting to `false`，same as `1; mode=block`.
 
+### SSRF Protection
+
+In a [Server-Side Request Forgery (SSRF)]((https://www.owasp.org/index.php/Server_Side_Request_Forgery)) attack, the attacker can abuse functionality on the server to read or update internal resources.
+
+`egg-security` provide `ctx.safeCurl`, `app.safeCurl` and `agent.safeCurl` to provide http request(like `ctx.curl`, `app.curl` and `agent.curl`) with SSRF protection.
+
+#### Configuration
+
+* ipBlackList(Array) - specific which ip are illegal when request with `safeCurl`.
+* checkAddress(Function) - determine the ip by the function's return value, `false` means illegal ip.
+
+```js
+// config/config.default.js
+exports.security = {
+  ssrf: {
+    // support both cidr subnet or specific ip
+    ipBlackList: [
+      '10.0.0.0/8',
+      '127.0.0.1',
+      '0.0.0.0/32',
+    ],
+    // checkAddress has higher priority than ipBlackList
+    checkAddress(ip) {
+      return ip !== '127.0.0.1';
+    }
+  },
+};
+```
+
 ## Other
 
 * Forbidden `trace` `track` `options` http method.
diff --git a/agent.js b/agent.js
new file mode 100644
index 0000000..18b2f9f
--- /dev/null
+++ b/agent.js
@@ -0,0 +1,7 @@
+'use strict';
+
+const utils = require('./lib/utils');
+
+module.exports = agent => {
+  utils.processSSRFConfig(agent.config.security.ssrf);
+};
diff --git a/app.js b/app.js
index 3195d41..34941ab 100644
--- a/app.js
+++ b/app.js
@@ -1,10 +1,13 @@
 'use strict';
 
 const safeRedirect = require('./lib/safe_redirect');
+const utils = require('./lib/utils');
 
 module.exports = app => {
   app.config.coreMiddleware.push('securities');
 
   // patch response.redirect
   safeRedirect(app);
+
+  utils.processSSRFConfig(app.config.security.ssrf);
 };
diff --git a/app/extend/agent.js b/app/extend/agent.js
new file mode 100644
index 0000000..c6edbe5
--- /dev/null
+++ b/app/extend/agent.js
@@ -0,0 +1,19 @@
+'use strict';
+
+module.exports = {
+  /**
+   * safe curl with ssrf protect
+   * @param {String} url request url
+   * @param {Object} options request options
+   * @return {Promise} response
+   */
+  safeCurl(url, options = {}) {
+    if (this.config.security.ssrf && this.config.security.ssrf.checkAddress) {
+      options.checkAddress = this.config.security.ssrf.checkAddress;
+    } else {
+      this.logger.warn('[egg-security] please configure `config.security.ssrf` first');
+    }
+
+    return this.curl(url, options);
+  },
+};
diff --git a/app/extend/application.js b/app/extend/application.js
index 63ccdf7..36b30ba 100644
--- a/app/extend/application.js
+++ b/app/extend/application.js
@@ -30,3 +30,19 @@ const INJECTION_DEFENSE = '<!--for injection--><!--</html>--><!--for injection--
 exports.injectHijackingDefense = function injectHijackingDefense(tmplStr) {
   return INJECTION_DEFENSE + tmplStr + INJECTION_DEFENSE;
 };
+
+/**
+ * safe curl with ssrf protect
+ * @param {String} url request url
+ * @param {Object} options request options
+ * @return {Promise} response
+ */
+exports.safeCurl = function safeCurl(url, options = {}) {
+  if (this.config.security.ssrf && this.config.security.ssrf.checkAddress) {
+    options.checkAddress = this.config.security.ssrf.checkAddress;
+  } else {
+    this.logger.warn('[egg-security] please configure `config.security.ssrf` first');
+  }
+
+  return this.curl(url, options);
+};
diff --git a/app/extend/context.js b/app/extend/context.js
index d6c012f..425d173 100644
--- a/app/extend/context.js
+++ b/app/extend/context.js
@@ -154,4 +154,20 @@ module.exports = {
       this.logger.warn(`${msg}. See https://eggjs.org/zh-cn/core/security.html#安全威胁csrf的防范`);
     }
   },
+
+  /**
+   * safe curl with ssrf protect
+   * @param {String} url request url
+   * @param {Object} options request options
+   * @return {Promise} response
+   */
+  safeCurl(url, options = {}) {
+    if (this.app.config.security.ssrf && this.app.config.security.ssrf.checkAddress) {
+      options.checkAddress = this.app.config.security.ssrf.checkAddress;
+    } else {
+      this.logger.warn('[egg-security] please configure `config.security.ssrf` first');
+    }
+
+    return this.curl(url, options);
+  },
 };
diff --git a/config/config.default.js b/config/config.default.js
index f4e263d..59d67a1 100644
--- a/config/config.default.js
+++ b/config/config.default.js
@@ -81,6 +81,11 @@ module.exports = () => {
       enable: false,
       policy: {},
     },
+
+    ssrf: {
+      ipBlackList: null,
+      checkAddress: null,
+    },
   };
 
   exports.helper = {
diff --git a/lib/utils.js b/lib/utils.js
index 87b27e6..510182c 100644
--- a/lib/utils.js
+++ b/lib/utils.js
@@ -1,6 +1,7 @@
 'use strict';
 
 const normalize = require('path').normalize;
+const IP = require('ip');
 
 exports.isSafeDomain = function isSafeDomain(domain, domain_white_list) {
   // add prefix `.`, because all domains in white list are start with `.`
@@ -80,3 +81,24 @@ exports.merge = function merge(origin, opts) {
   }
   return res;
 };
+
+exports.processSSRFConfig = function(config) {
+  // transfor ssrf.ipBlackList to ssrf.checkAddress
+  // checkAddress has higher priority than ipBlackList
+  if (config && config.ipBlackList && !config.checkAddress) {
+    const containsList = config.ipBlackList.map(getContains);
+    config.checkAddress = ip => {
+      for (const contains of containsList) {
+        if (contains(ip)) return false;
+      }
+      return true;
+    };
+  }
+};
+
+function getContains(ip) {
+  if (IP.isV4Format(ip) || IP.isV6Format(ip)) {
+    return _ip => ip === _ip;
+  }
+  return IP.cidrSubnet(ip).contains;
+}
diff --git a/test/fixtures/apps/ssrf-check-address/config/config.default.js b/test/fixtures/apps/ssrf-check-address/config/config.default.js
new file mode 100644
index 0000000..ca175e6
--- /dev/null
+++ b/test/fixtures/apps/ssrf-check-address/config/config.default.js
@@ -0,0 +1,14 @@
+'use strict';
+
+exports.security = {
+  ssrf: {
+    ipBlackList: [
+      '10.0.0.0/8',
+      '127.0.0.1',
+      '0.0.0.0/32',
+    ],
+    checkAddress(ip) {
+      return ip !== '127.0.0.2';
+    },
+  },
+};
diff --git a/test/fixtures/apps/ssrf-check-address/package.json b/test/fixtures/apps/ssrf-check-address/package.json
new file mode 100644
index 0000000..a6d79c1
--- /dev/null
+++ b/test/fixtures/apps/ssrf-check-address/package.json
@@ -0,0 +1,3 @@
+{
+  "name": "ssrf-ip-check-address"
+}
\ No newline at end of file
diff --git a/test/fixtures/apps/ssrf-ip-black-list/config/config.default.js b/test/fixtures/apps/ssrf-ip-black-list/config/config.default.js
new file mode 100644
index 0000000..5ce44f2
--- /dev/null
+++ b/test/fixtures/apps/ssrf-ip-black-list/config/config.default.js
@@ -0,0 +1,11 @@
+'use strict';
+
+exports.security = {
+  ssrf: {
+    ipBlackList: [
+      '10.0.0.0/8',
+      '127.0.0.1',
+      '0.0.0.0/32',
+    ],
+  },
+};
diff --git a/test/fixtures/apps/ssrf-ip-black-list/package.json b/test/fixtures/apps/ssrf-ip-black-list/package.json
new file mode 100644
index 0000000..868fb2c
--- /dev/null
+++ b/test/fixtures/apps/ssrf-ip-black-list/package.json
@@ -0,0 +1,3 @@
+{
+  "name": "ssrf-ip-black-list"
+}
\ No newline at end of file
diff --git a/test/ssrf.test.js b/test/ssrf.test.js
new file mode 100644
index 0000000..ed8808a
--- /dev/null
+++ b/test/ssrf.test.js
@@ -0,0 +1,98 @@
+'use strict';
+
+const mm = require('egg-mock');
+const dns = require('dns');
+const assert = require('assert');
+
+let app;
+describe('test/ssrf.test.js', function() {
+  afterEach(mm.restore);
+
+  describe('no ssrf config', () => {
+    before(() => {
+      app = mm.app({ baseDir: 'apps/csrf' });
+      return app.ready();
+    });
+
+    it('should safeCurl work', async () => {
+      const ctx = app.createAnonymousContext();
+      const url = 'https://127.0.0.1';
+      mm.data(app, 'curl', 'response');
+      mm.data(app.agent, 'curl', 'response');
+      mm.data(ctx, 'curl', 'response');
+
+      let count = 0;
+      function mockWarn(msg) {
+        count++;
+        assert(msg === '[egg-security] please configure `config.security.ssrf` first');
+      }
+
+      mm(app.logger, 'warn', mockWarn);
+      mm(app.agent.logger, 'warn', mockWarn);
+      mm(ctx.logger, 'warn', mockWarn);
+
+      const r1 = await app.safeCurl(url);
+      const r2 = await app.agent.safeCurl(url);
+      const r3 = await ctx.safeCurl(url);
+      assert(r1 === 'response');
+      assert(r2 === 'response');
+      assert(r3 === 'response');
+      assert(count === 3);
+    });
+  });
+
+
+  describe('ipBlackList', () => {
+    before(() => {
+      app = mm.app({ baseDir: 'apps/ssrf-ip-black-list' });
+      return app.ready();
+    });
+
+    it('should safeCurl work', async () => {
+      const urls = [
+        'https://127.0.0.1/foo',
+        'http://10.1.2.3/foo?bar=1',
+        'https://0.0.0.0/',
+        'https://www.google.com/',
+      ];
+      mm.data(dns, 'lookup', '127.0.0.1');
+      const ctx = app.createAnonymousContext();
+
+      for (const url of urls) {
+        await checkIllegalAddressError(app, url);
+        await checkIllegalAddressError(app.agent, url);
+        await checkIllegalAddressError(ctx, url);
+      }
+    });
+  });
+
+  describe('checkAddress', () => {
+    before(() => {
+      app = mm.app({ baseDir: 'apps/ssrf-check-address' });
+      return app.ready();
+    });
+
+    it('should safeCurl work', async () => {
+      const urls = [
+        'https://127.0.0.2/foo',
+        'https://www.google.com/foo',
+      ];
+      mm.data(dns, 'lookup', '127.0.0.2');
+      const ctx = app.createAnonymousContext();
+      for (const url of urls) {
+        await checkIllegalAddressError(app, url);
+        await checkIllegalAddressError(app.agent, url);
+        await checkIllegalAddressError(ctx, url);
+      }
+    });
+  });
+});
+
+async function checkIllegalAddressError(instance, url) {
+  try {
+    await instance.safeCurl(url);
+    throw new Error('should not execute');
+  } catch (err) {
+    assert(err.name === 'IllegalAddressError');
+  }
+}

From 7ba6dce52563f27f87cb58885c5831526198a25e Mon Sep 17 00:00:00 2001
From: dead-horse <dead_horse@qq.com>
Date: Tue, 27 Mar 2018 12:07:13 +0800
Subject: [PATCH 2/3] benchmark: add cidr subnet benchmark

---
 test/benchmark/cidr_subnet.js | 50 +++++++++++++++++++++++++++++++++++
 1 file changed, 50 insertions(+)
 create mode 100644 test/benchmark/cidr_subnet.js

diff --git a/test/benchmark/cidr_subnet.js b/test/benchmark/cidr_subnet.js
new file mode 100644
index 0000000..0239172
--- /dev/null
+++ b/test/benchmark/cidr_subnet.js
@@ -0,0 +1,50 @@
+'use strict';
+
+const ip = require('ip');
+const Benchmark = require('benchmark');
+const benchmarks = require('beautify-benchmark');
+const suite = new Benchmark.Suite();
+
+const parsed1 = ip.cidrSubnet('10.0.0.0/8');
+const parsed2 = ip.cidrSubnet('0.0.0.0/32');
+
+console.log('10.0.0.0/8 contains 10.255.168.1', parsed1.contains('10.255.168.1'));
+console.log('10.0.0.0/8 contains 11.255.168.1', parsed1.contains('11.255.168.1'));
+console.log('0.0.0.0/32 contains 0.0.0.0', parsed2.contains('0.0.0.0'));
+console.log('0.0.0.0/32 contains 0.0.0.1', parsed2.contains('0.0.0.1'));
+
+suite
+
+.add('10.0.0/8 match', () => {
+  parsed1.contains('10.255.168.1');
+})
+.add('10.0.0/8 not match', () => {
+  parsed1.contains('11.255.168.1');
+})
+.add('0.0.0/32 match', () => {
+  parsed1.contains('0.0.0.0');
+})
+.add('0.0.0/32 not match', () => {
+  parsed1.contains('0.0.0.1');
+})
+.on('cycle', event => {
+  benchmarks.add(event.target);
+})
+.on('start', event => {
+  console.log('\n  ip.cidrsubnet().contains() Benchmark\n  node version: %s, date: %s\n  Starting...',
+    process.version, Date());
+})
+.on('complete', () => {
+  benchmarks.log();
+})
+.run({ 'async': false });
+
+// ip.cidrsubnet().contains() Benchmark
+// node version: v8.9.1, date: Tue Mar 27 2018 12:04:41 GMT+0800 (CST)
+// Starting...
+// 4 tests completed.
+
+// 10.0.0/8 match     x 338,567 ops/sec ±2.98% (84 runs sampled)
+// 10.0.0/8 not match x 315,822 ops/sec ±5.29% (81 runs sampled)
+// 0.0.0/32 match     x 366,250 ops/sec ±4.47% (78 runs sampled)
+// 0.0.0/32 not match x 370,959 ops/sec ±4.23% (82 runs sampled)

From 86e854592073f20e55ad661a89f729e972038bc7 Mon Sep 17 00:00:00 2001
From: dead-horse <dead_horse@qq.com>
Date: Tue, 27 Mar 2018 14:37:37 +0800
Subject: [PATCH 3/3] refactor

---
 app/extend/agent.js       | 18 +++---------------
 app/extend/application.js | 18 +++---------------
 app/extend/context.js     | 17 ++---------------
 lib/extend/safe_curl.js   | 18 ++++++++++++++++++
 4 files changed, 26 insertions(+), 45 deletions(-)
 create mode 100644 lib/extend/safe_curl.js

diff --git a/app/extend/agent.js b/app/extend/agent.js
index c6edbe5..a9b7855 100644
--- a/app/extend/agent.js
+++ b/app/extend/agent.js
@@ -1,19 +1,7 @@
 'use strict';
 
-module.exports = {
-  /**
-   * safe curl with ssrf protect
-   * @param {String} url request url
-   * @param {Object} options request options
-   * @return {Promise} response
-   */
-  safeCurl(url, options = {}) {
-    if (this.config.security.ssrf && this.config.security.ssrf.checkAddress) {
-      options.checkAddress = this.config.security.ssrf.checkAddress;
-    } else {
-      this.logger.warn('[egg-security] please configure `config.security.ssrf` first');
-    }
+const safeCurl = require('../../lib/extend/safe_curl');
 
-    return this.curl(url, options);
-  },
+module.exports = {
+  safeCurl,
 };
diff --git a/app/extend/application.js b/app/extend/application.js
index 36b30ba..03aa600 100644
--- a/app/extend/application.js
+++ b/app/extend/application.js
@@ -1,5 +1,7 @@
 'use strict';
 
+const safeCurl = require('../../lib/extend/safe_curl');
+
 const INPUT_CSRF = '\r\n<input type="hidden" name="_csrf" value="{{ctx.csrf}}" /></form>';
 
 exports.injectCsrf = function injectCsrf(tmplStr) {
@@ -31,18 +33,4 @@ exports.injectHijackingDefense = function injectHijackingDefense(tmplStr) {
   return INJECTION_DEFENSE + tmplStr + INJECTION_DEFENSE;
 };
 
-/**
- * safe curl with ssrf protect
- * @param {String} url request url
- * @param {Object} options request options
- * @return {Promise} response
- */
-exports.safeCurl = function safeCurl(url, options = {}) {
-  if (this.config.security.ssrf && this.config.security.ssrf.checkAddress) {
-    options.checkAddress = this.config.security.ssrf.checkAddress;
-  } else {
-    this.logger.warn('[egg-security] please configure `config.security.ssrf` first');
-  }
-
-  return this.curl(url, options);
-};
+exports.safeCurl = safeCurl;
diff --git a/app/extend/context.js b/app/extend/context.js
index 425d173..2a32907 100644
--- a/app/extend/context.js
+++ b/app/extend/context.js
@@ -1,5 +1,6 @@
 'use strict';
 
+const safeCurl = require('../../lib/extend/safe_curl');
 const isSafeDomainUtil = require('../../lib/utils').isSafeDomain;
 const rndm = require('rndm');
 const Tokens = require('csrf');
@@ -155,19 +156,5 @@ module.exports = {
     }
   },
 
-  /**
-   * safe curl with ssrf protect
-   * @param {String} url request url
-   * @param {Object} options request options
-   * @return {Promise} response
-   */
-  safeCurl(url, options = {}) {
-    if (this.app.config.security.ssrf && this.app.config.security.ssrf.checkAddress) {
-      options.checkAddress = this.app.config.security.ssrf.checkAddress;
-    } else {
-      this.logger.warn('[egg-security] please configure `config.security.ssrf` first');
-    }
-
-    return this.curl(url, options);
-  },
+  safeCurl,
 };
diff --git a/lib/extend/safe_curl.js b/lib/extend/safe_curl.js
new file mode 100644
index 0000000..b033deb
--- /dev/null
+++ b/lib/extend/safe_curl.js
@@ -0,0 +1,18 @@
+'use strict';
+
+/**
+ * safe curl with ssrf protect
+ * @param {String} url request url
+ * @param {Object} options request options
+ * @return {Promise} response
+ */
+module.exports = function safeCurl(url, options = {}) {
+  const config = this.config || this.app.config;
+  if (config.security.ssrf && config.security.ssrf.checkAddress) {
+    options.checkAddress = config.security.ssrf.checkAddress;
+  } else {
+    this.logger.warn('[egg-security] please configure `config.security.ssrf` first');
+  }
+
+  return this.curl(url, options);
+};