Skip to content

mccutchen/safedialer

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

4 Commits

.github/workflows

.github/workflows

 
 

.gitignore

.gitignore

 
 

LICENSE

LICENSE

 
 

Makefile

Makefile

 
 

README.md

README.md

 
 

go.mod

go.mod

 
 

safedialer.go

safedialer.go

 
 

safedialer_example_test.go

safedialer_example_test.go

 
 

safedialer_test.go

safedialer_test.go

 
 

Repository files navigation

safedialer

Package safedialer provides a net.Dialer Control function that permits only TCP connections to port 80 and 443 on public IP addresses, so that an application may safely connect to possibly-malicious URLs controlled by external clients.

This code is very lightly adapted from Andrew Ayer's excellent 2019 blog post "Preventing Server Side Request Forgery in Golang", which explains the dangers of connecting to arbitrary URLs from your own application code.

Example usage

import (
    "fmt"
    "net"
    "net/http"

    "github.com/mccutchen/safedialer"
)

safeClient := &http.Client{
    Transport: &http.Transport{
        DialContext: (&net.Dialer{
            Control: safedialer.Control,
        }).DialContext,
    },
}

// Our safeClient will reject this request for a URL that resolves to a
// private IP address.
resp, err := safeClient.Get("http://www.10.0.0.1.nip.io")
if err != nil {
    fmt.Println("Prevented possibly malicious request")
}

Authors

Written by Andrew Ayer.

GitHub repo and test suite added by Will McCutchen.

Copying

All the content within this repository is dedicated to the public domain under the CC0 1.0 Universal (CC0 1.0) Public Domain Dedication.

About

A golang net.Dialer control function that allows only safe network connections

Topics

golang http security networking ssrf

Resources

Readme

License

CC0-1.0 license
Activity

Stars

0 stars

Watchers

2 watching

Forks

0 forks
Report repository

Releases 1

v0.1.0 Latest
Feb 6, 2024

Languages