Skip to content

A ruby gem for defending against Server Side Request Forgery (SSRF) attacks

License

Notifications You must be signed in to change notification settings

jakeyheath/ssrf_filter

 
 

Repository files navigation

ssrf_filter Gem TravisCI Coverage Status License

Table of Contents

What's it for

ssrf_filter makes it easy to defend against server side request forgery (SSRF) attacks. SSRF vulnerabilities happen when you accept URLs as user input and fetch them on your server (for instance, when a user enters a link into a Twitter/Facebook status update and a content preview is generated).

Users can pass in URLs or IPs such that your server will make requests to the internal network. For example if you're hosted on AWS they can request the instance metadata endpoint http://169.254.169.254/latest/meta-data/ and get your IAM credentials.

Attempts to guard against this are often implemented incorrectly, by blocking all ip addresses, not handling IPv6 or http redirects correctly, or having TOCTTOU bugs and other issues.

This gem provides a safe and easy way to fetch content from user-submitted urls. It:

  • handles URIs/IPv4/IPv6, redirects, DNS, etc, correctly
  • has 0 runtime dependencies
  • has a comprehensive test suite (100% code coverage)
  • is tested against ruby 2.0, 2.1, 2.2, 2.3, 2.4, 2.5, 2.6, 2.7, 3.0, and ruby-head

Quick start

  1. Add the gem to your Gemfile:
gem 'ssrf_filter', '~> 1.0'
  1. In your code:
require 'ssrf_filter'
response = SsrfFilter.get(params[:url]) # throws an exception for unsafe fetches
response.code
=> "200"
response.body
=> "<!doctype html>\n<html>\n<head>\n..."

API reference

SsrfFilter.get/.put/.post/.delete/.head(url, options = {}, &block)

Fetches the requested url using a get/put/post/delete/head request, respectively.

Params:

  • url — the url to fetch.
  • options — options hash (described below).
  • block — a block that will receive the HTTPRequest object before it's sent, if you need to do any pre-processing on it (see examples below).

Options hash:

  • :scheme_whitelist — an array of schemes to allow. Defaults to %w[http https].
  • :resolver — a proc that receives a hostname string and returns an array of IPAddr objects. Defaults to resolving with Ruby's Resolv. See examples below for a custom resolver.
  • :max_redirects — Maximum number of redirects to follow. Defaults to 10.
  • :params — Hash of params to send with the request.
  • :headers — Hash of headers to send with the request.
  • :body — Body to send with the request.
  • :http_options – Options to pass to Net::HTTP.start. Use this to set custom timeouts or SSL options.

Returns:

An HTTPResponse object if the url was fetched safely, or throws an exception if it was unsafe. All exceptions inherit from SsrfFilter::Error.

Examples:

# GET www.example.com
SsrfFilter.get('https://www.example.com')

# Pass params - these are equivalent
SsrfFilter.get('https://www.example.com?param=value')
SsrfFilter.get('https://www.example.com', params: {'param' => 'value'})

# POST, send custom header, and don't follow redirects
begin
  SsrfFilter.post('https://www.example.com', max_redirects: 0,
    headers: {'content-type' => 'application/json'})
rescue SsrfFilter::Error => e
  # Got an unsafe url
end

# Custom DNS resolution and request processing
resolver = proc do |hostname|
  [IPAddr.new('2001:500:8f::53')] # Static resolver
end
SsrfFilter.get('https://www.example.com', resolver: resolver) do |request|
  # Do some extra processing on the request
  request['content-type'] = 'application/json'
  request.basic_auth('username', 'password')
end

Changelog

Please see CHANGELOG.md. This project follows semantic versioning.

Contributing

Please see CONTRIBUTING.md.

About

A ruby gem for defending against Server Side Request Forgery (SSRF) attacks

Resources

License

Code of conduct

Stars

Watchers

Forks

Packages

No packages published

Languages

  • Ruby 100.0%