pub fn validate_url(url_str: &str) -> Result<Url>Expand description
Validates a URL to prevent Server-Side Request Forgery (SSRF) attacks
This function ensures that URLs only point to public, safe destinations.
§Security Checks
- Only HTTP and HTTPS schemes are allowed
- Private IP ranges are blocked (RFC 1918, RFC 4193)
- Localhost and loopback addresses are blocked
- Link-local addresses are blocked (169.254.0.0/16)
- Cloud metadata endpoints are blocked
- Internal domain names are blocked (.local, .internal)
§Errors
Returns FeedError::Http if:
- The URL is malformed or invalid
- The URL scheme is not HTTP or HTTPS
- The URL points to a private IP address, localhost, or internal domain
- The URL points to a cloud metadata endpoint
§Examples
use feedparser_rs::http::validation::validate_url;
// These are allowed
assert!(validate_url("https://example.com/feed.xml").is_ok());
assert!(validate_url("http://blog.example.org/rss").is_ok());
// These are blocked
assert!(validate_url("http://localhost/").is_err());
assert!(validate_url("http://192.168.1.1/").is_err());
assert!(validate_url("http://169.254.169.254/").is_err());
assert!(validate_url("file:///etc/passwd").is_err());