Skip to main content

Module ssrf

Module ssrf 

Source
Expand description

SSRF (Server-Side Request Forgery) defense helpers.

Canonical IP-classification logic shared by every outbound HTTP client in the workspace. Centralising this prevents drift between crates (e.g. one allowing ULA, another not) and makes the rule set auditable in one place.

Blocking policy:

  • IPv4: private, loopback, link-local, broadcast, multicast, unspecified, 0.0.0.0/8, CGN (100.64.0.0/10), benchmark (198.18.0.0/15), reserved future-use (240.0.0.0/4)
  • IPv6: loopback, multicast, unspecified, ULA (fc00::/7), link-local (fe80::/10), deprecated site-local (fec0::/10)

Public, routable addresses always return false. Domain-name validation is the caller’s responsibility — this helper operates on IpAddr.

Enums§

SsrfPolicy
SSRF validation policy for outbound HTTP clients.

Functions§

is_ssrf_blocked_ip
Returns true if ip belongs to a network that must NOT be reached by an outbound HTTP client in this workspace.