Ecosyste.ms: Awesome

An open API service indexing awesome lists of open source software.

Awesome Lists | Featured Topics | Projects

https://github.com/skx/remotehttp

Magic wrapper to deny HTTP-requests to to "local" resources.
https://github.com/skx/remotehttp

go golang http library security transport utility wrapper

Last synced: 17 days ago
JSON representation

Magic wrapper to deny HTTP-requests to to "local" resources.

Host: GitHub
URL: https://github.com/skx/remotehttp
Owner: skx
License: gpl-2.0
Created: 2020-03-12T15:15:43.000Z (over 4 years ago)
Default Branch: master
Last Pushed: 2020-12-29T10:44:58.000Z (almost 4 years ago)
Last Synced: 2024-10-03T10:12:37.224Z (about 1 month ago)
Topics: go, golang, http, library, security, transport, utility, wrapper
Language: Go
Size: 37.1 KB
Stars: 8
Watchers: 3
Forks: 2
Open Issues: 0
Metadata Files:
- Readme: README.md
- Funding: .github/FUNDING.yml
- License: LICENSE

Awesome Lists containing this project

README

[![GoDoc](https://img.shields.io/static/v1?label=godoc&message=reference&color=blue)](https://pkg.go.dev/github.com/skx/remotehttp)
[![Go Report Card](https://goreportcard.com/badge/github.com/skx/remotehttp)](https://goreportcard.com/report/github.com/skx/remotehttp)
[![license](https://img.shields.io/github/license/skx/remotehttp.svg)](https://github.com/skx/remotehttp/blob/master/LICENSE)

# remotehttp

This repository contains a trivial helper for making secure HTTP-requests with golang.

# The Problem

Imagine you have a service to which users to submit tasks containing references to remote objects (HTTP-URLs).

* For example you might allow users to enter the location of a HTML document.
* Your service fetches that remote resource, then converts it to PDF, or similar.
* The results are then shown to the user.

Now imagine what happens if the user supplies URLs such as these, as input to your service:

* http://localhost/server-status
* http://169.254.169.254/latest/meta-data/

This package allows you to __prevent__ these inputs from being processed, easily.

## Using It

Sample usage can be found in [remotehttp_example_test.go](remotehttp_example_test.go).

## Other considerations

This wrapper-library only considers the case of `http` and `https` schemas; if you're accepting URIs of your own you should absolutely sanity-check you've not been given something with a `file://`, or `ftp://` prefix (and more!)

Other things you'll want to consider:

* Resource limits such as timeout-handling.
* Resource limits such as whether to follow redirections, and if so how many.

Steve