safehttp

package module

v0.0.0-...-fc5c242 Latest Latest Go to latest Published: Jun 8, 2021 License: MIT Imports: 5 Imported by: 0

Details

Valid go.mod file

The Go module system was introduced in Go 1.11 and is the official dependency management solution for Go.
Redistributable license

Redistributable licenses place minimal restrictions on how software can be used, modified, and redistributed.
Tagged version

Modules with tagged versions give importers more predictable builds.
Stable version

When a project reaches major version v1 it is considered stable.
Learn more about best practices

Repository

github.com/AlchemyTelcoSolutions/safehttp

Links

Open Source Insights

README ¶

SafeHTTP Client

SafeHTTP provides users with a standard http client with sensible defaults that can be used to make http requests to untrusted URLs. This is useful, for instance, for dispatching outbound webhook requests with URLs that are provided by customers. SafeHTTP Client inspects the final ip address, instead of simply the provided URL, protecting you against the threat of SSRF even if the attacker uses a DNS record that looks harmless, but that points to localhost or other forbidden addresses.

Much of the code was adapted from Andrew Ayer's public domain code.

Installing

go get github.com/AlchemyTelcoSolutions/safehttp

Usage

// create client
client := safehttp.NewClient(c.opts)
// set forbidden endpoint
req, err := http.NewRequest("POST", "http://localhost:5000", nil)
if err != nil {
    // crash and burn
}
// do actual request, should get a safehttp error
res, err := client.Do(req)
if err != nil {
    // safehttp won't let the call to actually happen
}

Documentation ¶

Index ¶

Variables
func NewClient(opts Options) *http.Client
type Options
type SafeHTTPError
- func (err *SafeHTTPError) Error() string
- func (err *SafeHTTPError) Unwrap() error

Constants ¶

This section is empty.

Variables ¶

View Source

var (
	BadNetworkTypeErrCode     uint = 1
	BadHostPortPairErrCode    uint = 2
	BadIPAddressErrCode       uint = 3
	NotPublicIPAddressErrCode uint = 4
)

Functions ¶

func NewClient ¶

func NewClient(opts Options) *http.Client

NewClient returns a pointer to an http.Client with some sensible defaults, plus a custon dialer control that checks the receiving IP address against a forbidden-list, and checks the network type against an allow-list. Both lists have sensible defaults that can be added to by means of the Options struct

Types ¶

type Options ¶

type Options struct {
	AllowedNetworkTypes []string
	ForbiddenIPs        []string
}

Options is a struct that can be passed into NewClient to override the default allow-list of network types and the default forbidden-list of ip addresses

type SafeHTTPError ¶

type SafeHTTPError struct {
	Err     error
	Text    string
	ErrCode uint
	// contains filtered or unexported fields
}

SafeHTTPError is the error type returned by the SafeHTTPClient when an attempt is made to use a forbidden network type or IP address

func (*SafeHTTPError) Error ¶

func (err *SafeHTTPError) Error() string

func (*SafeHTTPError) Unwrap ¶

func (err *SafeHTTPError) Unwrap() error

Source Files ¶

View all Source files

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL