defmodule SafeURL do
@moduledoc """
`SafeURL` is library for mitigating Server Side Request
Forgery vulnerabilities in Elixir. Private/reserved IP
addresses are blocked by default, and users can add
additional CIDR ranges to the blocklist, or alternatively
allow specific CIDR ranges to which the application is
allowed to make requests.
You can use `allowed?/2` or `validate/2` to check if a
URL is safe to call. If the `HTTPoison` application is
available, you can also call `get/4` directly which will
validate the host before making an HTTP request.
## Examples
iex> SafeURL.allowed?("https://includesecurity.com")
true
iex> SafeURL.validate("http://google.com/", schemes: ~w[https])
{:error, :restricted}
iex> SafeURL.validate("http://230.10.10.10/")
{:error, :restricted}
iex> SafeURL.validate("http://230.10.10.10/", block_reserved: false)
:ok
# If HTTPoison is available:
iex> SafeURL.get("https://10.0.0.1/ssrf.txt")
{:error, :restricted}
iex> SafeURL.get("https://google.com/")
{:ok, %HTTPoison.Response{...}}
## Options
`SafeURL` can be configured to customize and override
validation behaviour by passing the following options:
* `:block_reserved` - Block reserved/private IP ranges.
Defaults to `true`.
* `:blocklist` - List of CIDR ranges to block. This is
additive with `:block_reserved`. Defaults to `[]`.
* `:allowlist` - List of CIDR ranges to allow. If
specified, blocklist will be ignored. Defaults to `[]`.
* `:schemes` - List of allowed URL schemes. Defaults to
`["http, "https"]`.
* `:dns_module` - Any module that implements the
`SafeURL.DNSResolver` behaviour. Defaults to `DNS` from
the `:dns` package.
If `:block_reserved` is `true` and additional hosts/ranges
are supplied with `:blocklist`, both of them are included in
the final blocklist to validate the address. If allowed
ranges are supplied with `:allowlist`, all blocklists are
ignored and any hosts not explicitly declared in the allowlist
are rejected.
These options can be set globally in your `config.exs` file:
config :safeurl,
block_reserved: true,
blocklist: ~w[100.0.0.0/16],
schemes: ~w[https],
dns_module: MyCustomDNSResolver
Or they can be passed to the function directly, overriding any
global options if set:
iex> SafeURL.validate("http://10.0.0.1/", block_reserved: false)
:ok
iex> SafeURL.validate("https://app.service/", allowlist: ~w[170.0.0.0/24])
:ok
iex> SafeURL.validate("https://app.service/", blocklist: ~w[170.0.0.0/24])
{:error, :restricted}
"""
@reserved_ranges [
"0.0.0.0/8",
"10.0.0.0/8",
"100.64.0.0/10",
"127.0.0.0/8",
"169.254.0.0/16",
"172.16.0.0/12",
"192.0.0.0/29",
"192.0.2.0/24",
"192.88.99.0/24",
"192.168.0.0/16",
"198.18.0.0/15",
"198.51.100.0/24",
"203.0.113.0/24",
"224.0.0.0/4",
"240.0.0.0/4"
]
# Public API
# ----------
@doc """
Validate a string URL against a blocklist or allowlist.
This method checks if a URL is safe to be called by looking at
its scheme and resolved IP address, and matching it against
reserved CIDR ranges, and any provided allowlist/blocklist.
Returns `true` if the URL meets the requirements,
`false` otherwise.
## Examples
iex> SafeURL.allowed?("https://includesecurity.com")
true
iex> SafeURL.allowed?("http://10.0.0.1/")
false
iex> SafeURL.allowed?("http://10.0.0.1/", allowlist: ~w[10.0.0.0/8])
true
## Options
See [`Options`](#module-options) section above.
"""
@spec allowed?(binary(), Keyword.t()) :: boolean()
def allowed?(url, opts \\ []) do
uri = URI.parse(url)
opts = build_options(opts)
address = resolve_address(uri.host, opts.dns_module)
cond do
uri.scheme not in opts.schemes ->
false
opts.allowlist != [] ->
ip_in_ranges?(address, opts.allowlist)
true ->
!ip_in_ranges?(address, opts.blocklist)
end
end
@doc """
Alternative method of validating a URL, returning atoms instead
of booleans.
This calls `allowed?/2` underneath to check if a URL is safe to
be called. If it is, it returns `:ok`, otherwise
`{:error, :restricted}`.
## Examples
iex> SafeURL.validate("https://includesecurity.com")
:ok
iex> SafeURL.validate("http://10.0.0.1/")
{:error, :restricted}
iex> SafeURL.validate("http://10.0.0.1/", allowlist: ~w[10.0.0.0/8])
:ok
## Options
See [`Options`](#module-options) section above.
"""
@spec validate(binary(), Keyword.t()) :: :ok | {:error, :restricted}
def validate(url, opts \\ []) do
if allowed?(url, opts) do
:ok
else
{:error, :restricted}
end
end
@doc """
Validate a URL and execute a GET request using `HTTPoison`.
If the URL is safe, this function will execute the request using
`HTTPoison`, returning the result directly. Otherwise, it will
return `{:error, :restricted}`.
`headers` and `httpoison_options` will be passed directly to
`HTTPoison` when the request is executed. This function will
raise if `HTTPoison` if not available.
See `allowed?/2` for more details on URL validation.
## Examples
iex> SafeURL.get("https://10.0.0.1/ssrf.txt")
{:error, :restricted}
iex> SafeURL.get("https://google.com/")
{:ok, %HTTPoison.Response{...}}
iex> SafeURL.get("https://google.com/", schemes: ~w[ftp])
{:error, :restricted}
## Options
See [`Options`](#module-options) section above.
"""
@spec get(binary(), Keyword.t(), HTTPoison.headers(), Keyword.t()) ::
{:ok, HTTPoison.Response.t()} | {:error, :restricted} | no_return()
def get(url, options \\ [], headers \\ [], httpoison_options \\ []) do
unless function_exported?(HTTPoison, :get, 3) do
raise "HTTPoison.get/3 not available"
end
with :ok <- validate(url, options) do
HTTPoison.get(url, headers, httpoison_options)
end
end
# Private Helpers
# ---------------
# Return a map of calculated options
defp build_options(opts) do
schemes = get_option(opts, :schemes)
allowlist = get_option(opts, :allowlist)
blocklist = get_option(opts, :blocklist)
dns_module = get_option(opts, :dns_module)
blocklist =
if get_option(opts, :block_reserved) do
blocklist ++ @reserved_ranges
else
blocklist
end
%{schemes: schemes, allowlist: allowlist, blocklist: blocklist, dns_module: dns_module}
end
# Get the value of a specific option, either from the application
# configs or overrides explicitly passed as arguments.
defp get_option(opts, key) do
if Keyword.has_key?(opts, key) do
Keyword.get(opts, key)
else
Application.get_env(:safeurl, key)
end
end
# Resolve hostname in DNS to an IP address (if not already an IP)
defp resolve_address(hostname, dns_module) do
hostname
|> to_charlist()
|> :inet.parse_address()
|> case do
{:ok, ip} ->
ip
{:error, :einval} ->
# TODO: safely handle multiple IPs/round-robin DNS
case dns_module.resolve(hostname) do
{:ok, ips} -> ips |> List.wrap() |> List.first()
{:error, _reason} -> nil
end
end
end
defp ip_in_ranges?({_, _, _, _} = addr, ranges) when is_list(ranges) do
Enum.any?(ranges, fn range ->
range
|> InetCidr.parse()
|> InetCidr.contains?(addr)
end)
end
defp ip_in_ranges?(_addr, _ranges), do: false
end