Skip to main content

Module safe_http

acdp

Module safe_http 

Source
Expand description

SSRF defenses for server-side cross-registry resolution (RFC-ACDP-0006 §7).

§Single source of SSRF policy

This module is the single source of truth for ACDP’s SSRF policy across both the client and server features. The server-scoped path (crate::registry::safe_http) does not reimplement any of this — it only re-exports SsrfPolicy from here (see src/registry/safe_http.rs). Any change to blocked IP ranges, the HTTPS-only rule, redirect limits, or DNS-rebinding handling therefore applies to client and server alike; there is no second copy to keep in sync. Do not add a divergent implementation under registry/.

When a registry resolves a foreign acdp:// reference on behalf of a consumer, it must defend against attacker-supplied URIs that target the registry’s own internal network. This module implements the policy decisions enumerated by §7:

  • §7.1 Reject loopback, RFC 1918 / 4193 private ranges, link-local, multicast, the AWS / GCP metadata endpoint (169.254.169.254), and the IPv6 equivalents.
  • §7.2 HTTPS-only.
  • §7.3 Response-size caps.
  • §7.5 Maximum redirects, same-authority only.
  • §7.6 DNS rebinding protection. SsrfPolicy::pin_resolved_ip resolves a hostname once, validates every returned IP, and returns a SocketAddr that the caller pins into reqwest::Client::builder().resolve(host, addr) — so the filter and the connection use the same IP, defeating a hostile DNS server flipping the answer between the two. Per §7.1 the resolution is rejected outright if any returned IP is forbidden — a public answer cannot mask a private one.

Re-exports§

pub use crate::limits::MAX_CONTEXT_BYTES;
pub use crate::limits::MAX_METADATA_BYTES;
pub use crate::limits::MAX_REDIRECTS;

Structs§

SsrfPolicy
SSRF policy applied to outbound HTTP requests.
SsrfRejection
A rejection produced by the classify_* SSRF checks: a stable SsrfReason discriminant plus a human-readable detail.

Enums§

SsrfReason
Stable, machine-readable reason an SSRF check rejected a target.

Functions§

safe_clientclient
Build a reqwest::Client hardened against SSRF for outbound POSTs to operator-configured endpoints (webhook delivery, federation feeds).