This package aims to help with implementing SSRF protections. It differs from other packages in that it is kept automatically in sync with the IANA Special Purpose Registries for both IPv4 and IPv6 with some additions.
The generation is done by ssrfgen.
A Safe() method is provided that you can hook into a net.Dialer to prevent
it from ever dialing to endpoints using certain protocols, destination ports
or IPs in certain networks.
Once you have the dialer, you can pass it into things like an http.Transport
to create an http.Client that won't allow requests to certain destinations.
It's worth pointing out that DNS resolution of the destination will still take
place, so that a name can be translated to an IP first.
You can retrieve this package with:
go get code.dny.dev/ssrf
You can then call the New() method to get a Guardian and pass it on to your
net.Dialer of choice.
s := ssrf.New()
dialer := &net.Dialer{
Control: s.Safe,
}
transport := &http.Transport{
DialContext: dialer.DialContext,
}
client := &http.Client{
Transport: transport,
}