Skip to main content

Module ssrf

Module ssrf 

Source
Expand description

SSRF (Server-Side Request Forgery) defense helpers.

Canonical IP-classification logic shared by every outbound HTTP client in the workspace. Centralising this prevents drift between crates (e.g. one allowing ULA, another not) and makes the rule set auditable in one place.

Blocking policy:

  • IPv4: private, loopback, link-local, broadcast, multicast, unspecified, 0.0.0.0/8, CGN (100.64.0.0/10), benchmark (198.18.0.0/15), reserved future-use (240.0.0.0/4)
  • IPv6: loopback, multicast, unspecified, ULA (fc00::/7), link-local (fe80::/10), deprecated site-local (fec0::/10)

Public, routable addresses always return false. Domain-name validation is the caller’s responsibility — this helper operates on IpAddr.

Functions§

is_ssrf_blocked_ip
Returns true if ip belongs to a network that must NOT be reached by an outbound HTTP client in this workspace.