This library wraps the excellent Python HTTP client library Requests, by adding several SSRF related security controlls to HTTP requests.
Disclaimer: This library is currently in a developmental stage. Due to the lack of extensive test case coverage, it should be considered insecure and, at best, experimental. Nonetheless, these features aim to provide a more secure and controlled HTTP request environment, suitable for developers who prioritize stringent security measures in their applications.
- Blocking Requests to Non-Public Internet IPs: Prevents access to some private and reserved IP ranges.
-
Protection Against DNS Rebinding Attacks: Resolves IP once per session to safeguard against DNS rebinding.$${\color{red} Vulnerable-to-DNS-REBIND-SSRF}$$ Still can't find a propper way to do this in python with requets or urllib. There is still an exloitable race condidtion. - Disabling HTTP Redirects: Redirects are not followed by default to maintain control over request destinations. See redirect-based SSRF.
- Forbidding IPv6 Usage: Blocks all connections to IPv6 addresses. IPv6 support might be enabled in the future as its implications for SSRF become clearer. PRs are welcome.
- ⛔DNS Rebind based SSRF not fully mitigated⛔ (Any info on how this could be accomplished while still using urllib/requests would be much appreciated)
- currently only
GET
is implemented
This library is potentially beneficial in cases where untrusted input is passed to an HTTP client, which we believe is always the case when:
- DNS is being resolved.
- An untrusted HTTP endpoint is queried, due to the possibility of encountering HTTP redirects (301, 302, 303, 307, 308).
- non-trusted e.g: user-supplied input is used to craf a URL
We acknowledge that a more effective approach to securing HTTP client libraries might involve isolation at the OS or network level. However, this library provides an application-level solution as an interim measure.
TBD
pip install git+http://foo/bar
import requests
from anti_SSRF_requests_adapter import AnitSSRFSession
assrf_session = AntiSSRFSession()
try:
response = assrf_session.get('http://example.com')
print(response.content)
except ValueError as e:
print(f"An error occurred: {e}")