Expand description
SSRF (Server-Side Request Forgery) defense helpers.
Canonical IP-classification logic shared by every outbound HTTP client in the workspace. Centralising this prevents drift between crates (e.g. one allowing ULA, another not) and makes the rule set auditable in one place.
Blocking policy:
- IPv4: private, loopback, link-local, broadcast, multicast, unspecified, 0.0.0.0/8, CGN (100.64.0.0/10), benchmark (198.18.0.0/15), reserved future-use (240.0.0.0/4)
- IPv6: loopback, multicast, unspecified, ULA (fc00::/7), link-local (fe80::/10), deprecated site-local (fec0::/10)
Public, routable addresses always return false. Domain-name validation
is the caller’s responsibility — this helper operates on IpAddr.
Functions§
- is_
ssrf_ blocked_ ip - Returns
trueifipbelongs to a network that must NOT be reached by an outbound HTTP client in this workspace.