ssrf

package
v0.0.0-...-c10ddb5 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Nov 14, 2025 License: Apache-2.0, MIT Imports: 5 Imported by: 0

Documentation

Overview

* Written in 2019 by Andrew Ayer. * Patched 2025, Bluesky Social PBC. * * Original: https://www.agwa.name/blog/post/preventing_server_side_request_forgery_in_golang * * To the extent possible under law, the author(s) have dedicated all * copyright and related and neighboring rights to this software to the * public domain worldwide. This software is distributed without any * warranty. * * You should have received a copy of the CC0 Public * Domain Dedication along with this software. If not, see * <https://creativecommons.org/publicdomain/zero/1.0/>.

Index

Constants

This section is empty.

Variables

This section is empty.

Functions

func IsPublicIPAddress 

func IsPublicIPAddress(address net.IP) bool

func PublicOnlyControl 

func PublicOnlyControl(network string, address string, conn syscall.RawConn) error

Implementation of net.Dialer `Control` field (a function) which avoids some SSRF attacks by rejecting local IPv4 and IPv6 address ranges, and only allowing ports 80 or 443.

func PublicOnlyDialer 

func PublicOnlyDialer() *net.Dialer

net.Dialer with PublicOnlyControl for `Control` function (for SSRF protection). Other fields are same default values as standard library.

func PublicOnlyTransport 

func PublicOnlyTransport() *http.Transport

http.Transport with PublicOnlyDialer for `DialContext` field (for SSRF protection). Other fields are same default values as standard library.

Use this in an http.Client like: `c := http.Client{ Transport: PublicOnlyTransport() }`

Types

This section is empty.

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.