Skip to content

Commit

Permalink
feat: improved SSRF protection
Browse files Browse the repository at this point in the history
  • Loading branch information
alnr committed Nov 17, 2023
1 parent 5ad9c46 commit 56e8955
Show file tree
Hide file tree
Showing 10 changed files with 347 additions and 369 deletions.
7 changes: 4 additions & 3 deletions fetcher/fetcher_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -13,7 +13,7 @@ import (
"testing"
"time"

"github.com/ory/x/httpx"
"github.com/hashicorp/go-retryablehttp"

"github.com/gobuffalo/httptest"
"github.com/julienschmidt/httprouter"
Expand All @@ -35,9 +35,10 @@ func TestFetcher(t *testing.T) {
_, err = file.WriteString(`{"foo":"baz"}`)
require.NoError(t, err)
require.NoError(t, file.Close())

rClient := retryablehttp.NewClient()
rClient.HTTPClient = ts.Client()
for fc, fetcher := range []*Fetcher{
NewFetcher(WithClient(httpx.NewResilientClient(httpx.ResilientClientWithClient(ts.Client())))),
NewFetcher(WithClient(rClient)),
NewFetcher(),
} {
for k, tc := range []struct {
Expand Down
75 changes: 40 additions & 35 deletions go.mod
Original file line number Diff line number Diff line change
Expand Up @@ -3,11 +3,12 @@ module github.com/ory/x
go 1.20

require (
code.dny.dev/ssrf v0.2.0
github.com/auth0/go-jwt-middleware v1.0.1
github.com/avast/retry-go/v4 v4.3.0
github.com/bmatcuk/doublestar/v2 v2.0.4
github.com/bradleyjkemp/cupaloy/v2 v2.8.0
github.com/cenkalti/backoff/v4 v4.2.0
github.com/cenkalti/backoff/v4 v4.2.1
github.com/cockroachdb/cockroach-go/v2 v2.2.16
github.com/dgraph-io/ristretto v0.1.1
github.com/docker/docker v20.10.24+incompatible
Expand Down Expand Up @@ -76,27 +77,28 @@ require (
github.com/tidwall/pretty v1.2.1
github.com/tidwall/sjson v1.2.5
github.com/urfave/negroni v1.0.0
go.opentelemetry.io/contrib/instrumentation/net/http/httptrace/otelhttptrace v0.36.4
go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.36.4
go.opentelemetry.io/contrib/propagators/b3 v1.11.1
go.opentelemetry.io/contrib/propagators/jaeger v1.11.1
go.opentelemetry.io/contrib/samplers/jaegerremote v0.5.2
go.opentelemetry.io/otel v1.11.1
go.opentelemetry.io/otel/exporters/jaeger v1.11.1
go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.9.0
go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp v1.9.0
go.opentelemetry.io/otel/exporters/zipkin v1.11.1
go.opentelemetry.io/otel/sdk v1.11.1
go.opentelemetry.io/otel/trace v1.11.1
go.opentelemetry.io/proto/otlp v0.18.0
go.opentelemetry.io/contrib/instrumentation/net/http/httptrace/otelhttptrace v0.45.0
go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.45.0
go.opentelemetry.io/contrib/propagators/b3 v1.20.0
go.opentelemetry.io/contrib/propagators/jaeger v1.20.0
go.opentelemetry.io/contrib/samplers/jaegerremote v0.14.0
go.opentelemetry.io/otel v1.19.0
go.opentelemetry.io/otel/exporters/jaeger v1.17.0
go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.19.0
go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp v1.19.0
go.opentelemetry.io/otel/exporters/zipkin v1.19.0
go.opentelemetry.io/otel/sdk v1.19.0
go.opentelemetry.io/otel/trace v1.19.0
go.opentelemetry.io/proto/otlp v1.0.0
go.uber.org/goleak v1.2.1
golang.org/x/crypto v0.9.0
golang.org/x/mod v0.8.0
golang.org/x/net v0.10.0
golang.org/x/sync v0.1.0
golang.org/x/crypto v0.15.0
golang.org/x/mod v0.14.0
golang.org/x/net v0.18.0
golang.org/x/oauth2 v0.14.0
golang.org/x/sync v0.5.0
gonum.org/v1/plot v0.12.0
google.golang.org/grpc v1.56.3
google.golang.org/protobuf v1.30.0
google.golang.org/grpc v1.59.0
google.golang.org/protobuf v1.31.0
)

require (
Expand All @@ -120,10 +122,10 @@ require (
github.com/dustin/go-humanize v1.0.0 // indirect
github.com/fatih/color v1.13.0 // indirect
github.com/felixge/fgprof v0.9.3 // indirect
github.com/felixge/httpsnoop v1.0.3 // indirect
github.com/felixge/httpsnoop v1.0.4 // indirect
github.com/go-fonts/liberation v0.2.0 // indirect
github.com/go-latex/latex v0.0.0-20210823091927-c0d11ff05a81 // indirect
github.com/go-logr/logr v1.2.3 // indirect
github.com/go-logr/logr v1.3.0 // indirect
github.com/go-logr/stdr v1.2.2 // indirect
github.com/go-openapi/errors v0.20.3 // indirect
github.com/go-openapi/strfmt v0.21.3 // indirect
Expand All @@ -142,12 +144,12 @@ require (
github.com/gofrs/flock v0.8.1 // indirect
github.com/gogo/protobuf v1.3.2 // indirect
github.com/golang/freetype v0.0.0-20170609003504-e2365dfdc4a0 // indirect
github.com/golang/glog v1.1.0 // indirect
github.com/golang/glog v1.1.2 // indirect
github.com/golang/protobuf v1.5.3 // indirect
github.com/google/pprof v0.0.0-20221010195024-131d412537ea // indirect
github.com/google/shlex v0.0.0-20191202100458-e7afc7fbc510 // indirect
github.com/gorilla/css v1.0.0 // indirect
github.com/grpc-ecosystem/grpc-gateway/v2 v2.12.0 // indirect
github.com/grpc-ecosystem/grpc-gateway/v2 v2.18.1 // indirect
github.com/hashicorp/go-cleanhttp v0.5.2 // indirect
github.com/hashicorp/hcl v1.0.0 // indirect
github.com/imdario/mergo v0.3.13 // indirect
Expand Down Expand Up @@ -182,11 +184,11 @@ require (
github.com/opencontainers/go-digest v1.0.0 // indirect
github.com/opencontainers/image-spec v1.1.0-rc2 // indirect
github.com/opencontainers/runc v1.1.5 // indirect
github.com/openzipkin/zipkin-go v0.4.1 // indirect
github.com/openzipkin/zipkin-go v0.4.2 // indirect
github.com/pelletier/go-toml/v2 v2.0.6 // indirect
github.com/pmezard/go-difflib v1.0.0 // indirect
github.com/prometheus/procfs v0.8.0 // indirect
github.com/rogpeppe/go-internal v1.9.0 // indirect
github.com/rogpeppe/go-internal v1.10.0 // indirect
github.com/segmentio/backo-go v1.0.1 // indirect
github.com/sergi/go-diff v1.2.0 // indirect
github.com/sourcegraph/annotate v0.0.0-20160123013949-f4cad6c6324d // indirect
Expand All @@ -202,15 +204,18 @@ require (
github.com/xeipuuv/gojsonschema v1.2.0 // indirect
github.com/xtgo/uuid v0.0.0-20140804021211-a0b114877d4c // indirect
go.mongodb.org/mongo-driver v1.10.3 // indirect
go.opentelemetry.io/otel/exporters/otlp/internal/retry v1.11.1 // indirect
go.opentelemetry.io/otel/metric v0.33.0 // indirect
golang.org/x/image v0.10.0 // indirect
golang.org/x/sys v0.8.0 // indirect
golang.org/x/text v0.11.0 // indirect
golang.org/x/time v0.1.0 // indirect
golang.org/x/tools v0.6.0 // indirect
golang.org/x/xerrors v0.0.0-20220907171357-04be3eba64a2 // indirect
google.golang.org/genproto v0.0.0-20230410155749-daa745c078e1 // indirect
go.opentelemetry.io/otel/metric v1.19.0 // indirect
golang.org/x/exp v0.0.0-20231110203233-9a3e6036ecaa // indirect
golang.org/x/image v0.14.0 // indirect
golang.org/x/sys v0.14.0 // indirect
golang.org/x/text v0.14.0 // indirect
golang.org/x/time v0.4.0 // indirect
golang.org/x/tools v0.15.0 // indirect
golang.org/x/xerrors v0.0.0-20231012003039-104605ab7028 // indirect
google.golang.org/appengine v1.6.8 // indirect
google.golang.org/genproto v0.0.0-20231106174013-bbf56f31fb17 // indirect
google.golang.org/genproto/googleapis/api v0.0.0-20231106174013-bbf56f31fb17 // indirect
google.golang.org/genproto/googleapis/rpc v0.0.0-20231106174013-bbf56f31fb17 // indirect
gopkg.in/ini.v1 v1.67.0 // indirect
gopkg.in/yaml.v2 v2.4.0 // indirect
gopkg.in/yaml.v3 v3.0.1 // indirect
Expand Down
Loading

0 comments on commit 56e8955

Please sign in to comment.