Safeurl Save

A Server Side Request Forgery (SSRF) protection library. Made with 🖤 by Doyensec LLC.

Project README

`safeurl`

A Go library created to help developers protect their applications from Server Side Request Forgery (SSRF) attacks. It implements a safeurl.Client wrapper around Go's native net/http.Client and performs validation on the incoming request against the configured allow and block lists. It also implements mitigation for DNS rebinding attacks.

Configuration options

The safeurl.Client can be configured through the safeurl.Config struct. It enables configuration of the following options:

AllowedPorts                    - list of ports the application is allowed to connect to
AllowedSchemes                  - list of schemas the application can use
AllowedHosts                    - list of hosts the application is allowed to communicate with
BlockedIPs                      - list of IP addresses the application is not allowed to connect to
AllowedIPs                      - list of IP addresses the application is allowed to connect to
AllowedCIDR                     - list of CIDR ranges the application is allowed to connect to
BlockedCIDR                     - list of CIDR ranges the application is not allowed to connect to

IsIPv6Enabled                   - specifies wether communication through IPv6 is enabled
AllowSendingCredentials         - specifies wether HTTP credentials should be sent

IsDebugLoggingEnabled          - enables debug logs

How to use the safeurl.Client?

First, you need to include the safeurl module. To do that, simply add github.com/doyensec/safeurl to your project's go.mod file.

Sample:

import (
    "fmt"
    "github.com/doyensec/safeurl"
)

func main() {
    config := safeurl.GetConfigBuilder().
        SetAllowedHosts("example.com").
        Build()

    client := safeurl.Client(config)

    resp, err := client.Get("https://example.com")
    if err != nil {
        fmt.Errorf("request return error: %v", err)
    }

    // read response body
}

Running tests

To successfully run all the unit tests, you will need to run a local DNS and HTTP server. That can be done by executing the following command:

go run testing/servers.go

Once the servers are up and running, the unit test can be ran with:

go test -v

Credits

This tool has been created by Viktor Chuchurski and Alessandro Cotto of Doyensec LLC during our 25% research time.

Doyensec Research

Open Source Agenda is not affiliated with "Safeurl" Project. README Source: doyensec/safeurl

Stars

Open Issues

Last Commit

5 months ago

Repository

doyensec/safeurl

License

Apache-2.0

Homepage

https://doyensec.com/

Open Source Agenda Badge

<a href="https://www.opensourceagenda.com/projects/safeurl"><img src="https://www.opensourceagenda.com/projects/safeurl/reviews/badge.svg" alt="Open Source Agenda"></a>

Submit Review Review Your Favorite Project

Submit Resource Articles, Courses, Videos

Submit Article Submit a post to our blog

From the blog

Dec 11, 2022

How to Choose Which Programming Language to Learn First?

From the blog

Dec 11, 2022