GO-2023-1526: Server-side request forgery in github.com/hakobe/paranoidhttp

paranoidhttp

package module

v0.2.0 Latest Latest Go to latest Published: Apr 2, 2019 License: MIT Imports: 7 Imported by: 1

Details

Valid go.mod file

The Go module system was introduced in Go 1.11 and is the official dependency management solution for Go.
Redistributable license

Redistributable licenses place minimal restrictions on how software can be used, modified, and redistributed.
Tagged version

Modules with tagged versions give importers more predictable builds.
Stable version

When a project reaches major version v1 it is considered stable.
Learn more about best practices

Repository

github.com/hakobe/paranoidhttp

Links

Open Source Insights

README ¶

Paranoidhttp

Paranoidhttp provides a pre-configured http.Client that protects you from harm.

Description

Paranoidhttp is a factory of http.Client that is paranoid againt attackers. This is useful when you craete a HTTP request using inputs from possibly malicious users.

The created http.Client protects you from connecting to internal IP ranges even though redirects or DNS tricks are used.

Synopsis

// use the default client for ease
res, err := paranoidhttp.DefaultClient.Get("http://www.hatena.ne.jp")

// or customize the client for yourself
client, transport, dialer := paranoidhttp.NewClient()
client.Timeout = 10 * time.Second
transport.DisableCompression = true
dialer.KeepAlive = 60 * time.Second

// Add an permitted ipnets with functional option
ipNet, _ := net.ParseCIDR("127.0.0.1/32")
client, _, _ := paranoidhttp.New(
    paranoidhttp.PermittedIPNets(ipNet))

Known Issues

Supports only IPv4 (blocks IPv6).

Documentation ¶

Index ¶

Variables
func NewClient(opts ...Option) (*http.Client, *http.Transport, *net.Dialer)
func NewDialer(dialer *net.Dialer, opts ...Option) func(ctx context.Context, network, addr string) (net.Conn, error)
type Option

Constants ¶

This section is empty.

Variables ¶

View Source

var (
	DefaultClient *http.Client
)

DefaultClient is the default Client whose setting is the same as http.DefaultClient.

Functions ¶

func NewClient ¶

func NewClient(opts ...Option) (*http.Client, *http.Transport, *net.Dialer)

NewClient returns a new http.Client configured to be paranoid for attackers.

This also returns http.Tranport and net.Dialer so that you can customize those behavior.

func NewDialer ¶

func NewDialer(dialer *net.Dialer, opts ...Option) func(ctx context.Context, network, addr string) (net.Conn, error)

NewDialer returns a dialer function which only accepts IPv4 connections.

This is used to create a new paranoid http.Client, because I'm not sure about a paranoid behavior for IPv6 connections :(

Types ¶

type Option ¶ added in v0.2.0

type Option func(*config)

Option type of paranoidhttp

func ForbiddenHosts ¶ added in v0.2.0

func ForbiddenHosts(hostRegs ...*regexp.Regexp) Option

ForbiddenHosts set forbidden host rules by regexp

func ForbiddenIPNets ¶ added in v0.2.0

func ForbiddenIPNets(ips ...*net.IPNet) Option

ForbiddenIPNets sets forbidden IPNets

func PermittedIPNets ¶ added in v0.2.0

func PermittedIPNets(ips ...*net.IPNet) Option

PermittedIPNets sets permitted IPNets It takes priority over other forbidden rules.

Source Files ¶

View all Source files

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL