https://github.com/mccutchen/safedialer

A golang net.Dialer control function that allows only safe network connections
https://github.com/mccutchen/safedialer

golang http networking security ssrf

Last synced: 6 months ago
JSON representation

A golang net.Dialer control function that allows only safe network connections

• Host: GitHub
• URL: https://github.com/mccutchen/safedialer
• Owner: mccutchen
• License: cc0-1.0
• Created: 2021-04-08T21:23:35.000Z (almost 5 years ago)
• Default Branch: main
• Last Pushed: 2024-02-06T04:24:08.000Z (almost 2 years ago)
• Last Synced: 2024-06-21T15:33:49.466Z (over 1 year ago)
• Topics: golang, http, networking, security, ssrf
• Language: Go
• Homepage:
• Size: 8.79 KB
• Stars: 0
• Watchers: 2
• Forks: 0
• Open Issues: 0
• Metadata Files:
  • Readme: README.md
  • License: LICENSE

Awesome Lists containing this project

README

          
# safedialer

Package safedialer provides a [net.Dialer][dialer] `Control` function that

permits only TCP connections to port 80 and 443 on public IP addresses, so that

an application may safely connect to possibly-malicious URLs controlled by

external clients.

This code is _very_ lightly adapted from [Andrew Ayer][]'s excellent 2019 blog

post ["Preventing Server Side Request Forgery in Golang"][blog], which explains

the dangers of connecting to arbitrary URLs from your own application code.

## Example usage

```go

import (

    "fmt"

    "net"

    "net/http"

    "github.com/mccutchen/safedialer"

)

safeClient := &http.Client{

    Transport: &http.Transport{

        DialContext: (&net.Dialer{

            Control: safedialer.Control,

        }).DialContext,

    },

}

// Our safeClient will reject this request for a URL that resolves to a

// private IP address.

resp, err := safeClient.Get("http://www.10.0.0.1.nip.io")

if err != nil {

    fmt.Println("Prevented possibly malicious request")

}

```

## Authors

Written by [Andrew Ayer][].

GitHub repo and test suite added by [Will McCutchen][].

## Copying

All the content within this repository is dedicated to the public domain under

the [CC0 1.0 Universal (CC0 1.0) Public Domain Dedication][cc-zero].

[Andrew Ayer]: https://agwa.name

[blog]: https://www.agwa.name/blog/post/preventing_server_side_request_forgery_in_golang

[cc-zero]: https://creativecommons.org/publicdomain/zero/1.0/

[dialer]: https://golang.org/pkg/net/#Dialer

[Will McCutchen]: https://github.com/mccutchen