Skip to content
/ safedialer Public

A golang net.Dialer control function that allows only safe network connections

License

CC0-1.0 license
0 stars 0 forks Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

mccutchen/safedialer

BranchesTags

Repository files navigation

safedialer

Package safedialer provides a net.Dialer Control function that permits only TCP connections to port 80 and 443 on public IP addresses, so that an application may safely connect to possibly-malicious URLs controlled by external clients.

This code is very lightly adapted from Andrew Ayer's excellent 2019 blog post "Preventing Server Side Request Forgery in Golang", which explains the dangers of connecting to arbitrary URLs from your own application code.

Example usage

import (
    "fmt"
    "net"
    "net/http"

    "github.com/mccutchen/safedialer"
)

safeClient := &http.Client{
    Transport: &http.Transport{
        DialContext: (&net.Dialer{
            Control: safedialer.Control,
        }).DialContext,
    },
}

// Our safeClient will reject this request for a URL that resolves to a
// private IP address.
resp, err := safeClient.Get("http://www.10.0.0.1.nip.io")
if err != nil {
    fmt.Println("Prevented possibly malicious request")
}

Authors

Written by Andrew Ayer.

GitHub repo and test suite added by Will McCutchen.

Copying

All the content within this repository is dedicated to the public domain under the CC0 1.0 Universal (CC0 1.0) Public Domain Dedication.

About

A golang net.Dialer control function that allows only safe network connections

Topics

golang http security networking ssrf

Resources

Readme

License

CC0-1.0 license
Activity

Stars

0 stars

Watchers

2 watching

Forks

0 forks
Report repository

Releases 1

v0.1.0 Latest
Feb 6, 2024

Languages