Skip to content

v1.0.0

Choose a tag to compare

@sylvesterdamgaard sylvesterdamgaard released this 12 Jul 19:07

Initial release of cboxdk/laravel-ssrf — a hardened, config-driven SSRF guard for outbound URLs in Laravel.

Highlights:

  • Resolves both A and AAAA; blocks every private/reserved/cloud-metadata address.
  • DNS-rebinding defence: resolve once, pin via CURLOPT_RESOLVE (TLS-safe), verify the connected IP, disable redirects.
  • IPv6 transition forms (6to4, NAT64, Teredo, IPv4-mapped) blocked wholesale and embedded IPv4 re-checked (CVE-2026-48736 class).
  • Http::ssrf() macro, PublicUrl validation rule, browser-redirect mode, FakeResolver test seam.
  • Honest scope: network egress control is the complete fix.

CI is green (Pint, PHPStan max, 25 tests against real vectors, composer audit, license check, CycloneDX SBOM, TruffleHog secret scan, Semgrep SAST).