/anti_SSRF_requests_adapter

Primary LanguagePythonOtherNOASSERTION

anti_SSRF_requests_adapter

SSRF protection for Python Requests Library

Overview

This library wraps the excellent Python HTTP client library Requests, by adding several SSRF related security controlls to HTTP requests.

Disclaimer: This library is currently in a developmental stage. Due to the lack of extensive test case coverage, it should be considered insecure and, at best, experimental. Nonetheless, these features aim to provide a more secure and controlled HTTP request environment, suitable for developers who prioritize stringent security measures in their applications.

Features

  • Blocking Requests to Non-Public Internet IPs: Prevents access to some private and reserved IP ranges.
  • Protection Against DNS Rebinding Attacks: Resolves IP once per session to safeguard against DNS rebinding. $${\color{red} Vulnerable-to-DNS-REBIND-SSRF}$$ Still can't find a propper way to do this in python with requets or urllib. There is still an exloitable race condidtion.
  • Disabling HTTP Redirects: Redirects are not followed by default to maintain control over request destinations. See redirect-based SSRF.
  • Forbidding IPv6 Usage: Blocks all connections to IPv6 addresses. IPv6 support might be enabled in the future as its implications for SSRF become clearer. PRs are welcome.

Limitation

  • ⛔DNS Rebind based SSRF not fully mitigated⛔ (Any info on how this could be accomplished while still using urllib/requests would be much appreciated)
  • currently only GET is implemented

Rationale

This library is potentially beneficial in cases where untrusted input is passed to an HTTP client, which we believe is always the case when:

  • DNS is being resolved.
  • An untrusted HTTP endpoint is queried, due to the possibility of encountering HTTP redirects (301, 302, 303, 307, 308).
  • non-trusted e.g: user-supplied input is used to craf a URL

We acknowledge that a more effective approach to securing HTTP client libraries might involve isolation at the OS or network level. However, this library provides an application-level solution as an interim measure.

Install

TBD
pip install git+http://foo/bar

Setup

import requests
from anti_SSRF_requests_adapter import AnitSSRFSession

assrf_session = AntiSSRFSession()

Usage

try:
    response = assrf_session.get('http://example.com')
    print(response.content)
except ValueError as e:
    print(f"An error occurred: {e}")