View Source SafeURL
SSRF Protection in Elixir 🛡️
SafeURL is a library that aids developers in protecting against a class of vulnerabilities known as Server Side Request Forgery. It does this by validating a URL against a configurable allow or block list before making an HTTP request. SafeURL is open-source and licensed under MIT.
This library was originally created by Nick Fox at Include Security, with substantial improvements contributed by the Slab team. As of January 2022, this library is now officially maintained by Slab.
See the Documentation on HexDocs.
Installation
Add safeurl
to your project dependencies in mix.exs
:
def deps do
[{:safeurl, "~> 0.2.0"}]
end
Usage
SafeURL
blocks private/reserved IP addresses are by default, and users can add additional
CIDR ranges to the blocklist, or alternatively allow specific CIDR ranges to which the
application is allowed to make requests.
You can use allowed?/2
or validate/2
to check if a URL is safe to call, or just call
it directly via get/4
which will validate it automatically before calling, and return an
error if it is not.
Examples
iex> SafeURL.allowed?("https://includesecurity.com")
true
iex> SafeURL.validate("http://google.com/", schemes: ~w[https])
{:error, :restricted}
iex> SafeURL.validate("http://230.10.10.10/")
{:error, :restricted}
iex> SafeURL.validate("http://230.10.10.10/", block_reserved: false)
:ok
iex> SafeURL.get("https://10.0.0.1/ssrf.txt")
{:error, :restricted}
iex> SafeURL.get("https://google.com/")
{:ok, %HTTPoison.Response{...}}
Configuration
SafeURL
can be configured to customize and override validation behaviour by passing the
following options:
:block_reserved
- Block reserved/private IP ranges. Defaults totrue
.:blocklist
- List of CIDR ranges to block. This is additive with:block_reserved
. Defaults to[]
.:allowlist
- List of CIDR ranges to allow. If specified, blocklist will be ignored. Defaults to[]
.:schemes
- List of allowed URL schemes. Defaults to["http, "https"]
.
These options can be passed to the function directly or set globally in your config.exs
file:
config :safeurl,
block_reserved: true,
blocklist: ~w[100.0.0.0/16],
schemes: ~w[https]
Find detailed documentation on HexDocs.
Contributing
- Fork, Enhance, Send PR
- Lock issues with any bugs or feature requests
- Implement something from Roadmap
- Spread the word :heart:
License
This package is available as open source under the terms of the MIT License.