Home Wiki

Ssrf Filter

Note: introduced in 1.2.0.

The :ssrf_filter plugin prevents server-side request forgery attacks, by blocking requests to the internal network. This is useful when the URLs used to perform requests aren’t under the developer control (such as when they are inserted via a web application form).

http = HTTPX.plugin(:ssrf_filter)

# this works
response = http.get("https://example.com")

# this doesn't
response = http.get("http://localhost:3002")
response = http.get("http://[::1]:3002")
response = http.get("http://169.254.169.254/latest/meta-data/") # AWS instance metadata endpoint

:extra_unsafe_ranges

You can enhance the standard list of IPs and ranges considered unsafe:

http = HTTPX.plugin(:ssrf_filter, extra_unsafe_ranges: [IPAddr.new("172.17.0.0/12")])

:safe_private_ranges

At the same time, you may want to allow some of the IPs or ranges considered unsafe by default:

http = HTTPX.plugin(:ssrf_filter, safe_private_ranges: [IPAddr.new("172.16.0.0/12")])

Acknowledgement

This plugin is based on the ssrf_filter gem for net-http.

Next: Callbacks

honeyryder

Ssrf Filter

:extra_unsafe_ranges

:safe_private_ranges

Acknowledgement