Expand description
SSRF (Server-Side Request Forgery) guard for cloud-driven runs.
When mockforge-test-runner (or any other cloud-side caller) accepts a
user-supplied target URL and dispatches HTTP traffic at it, an attacker
can point the runner at internal infrastructure: metadata endpoints
(169.254.169.254), localhost services, RFC1918 / ULA private ranges,
and so on. Without a guard, we hand them a free internal-network
scanner running inside our Fly.io org.
validate_target_url is the single chokepoint. It:
- Parses the URL and rejects anything that isn’t
http://orhttps://(nofile://,gopher://, etc.). - Resolves the hostname via DNS (asynchronously) and rejects if any resolved IP is in a blocked range.
- Treats literal-IP hostnames (
http://10.0.0.1/) the same way — parsing them asIpAddrdirectly so DNS resolution isn’t needed.
Blocked ranges:
- IPv4: loopback (
127.0.0.0/8), link-local (169.254.0.0/16— includes the AWS/GCP/Fly metadata IP169.254.169.254), unspecified (0.0.0.0/8), broadcast, RFC1918 private (10/8,172.16/12,192.168/16), CGNAT (100.64.0.0/10), benchmark (198.18/15). - IPv6: loopback (
::1), unspecified (::), link-local (fe80::/10), ULA (fc00::/7), IPv4-mapped (::ffff:0:0/96— caller could smuggle in a private v4 address).
There is no escape hatch — production callers MUST ensure their target
is publicly reachable. Tests can override with the loopback-ok env
var (see Policy::for_test) for integration-test endpoints on
127.0.0.1.
Structs§
- Policy
- Knobs for
validate_target_url. Default policy is the strict production one; tests can relax it viaPolicy::allow_loopback.
Enums§
- Ssrf
Error - Reasons a target URL can be rejected by
validate_target_url.
Functions§
- validate_
target_ url - Validate that a URL is safe for a cloud runner to hit. Returns
Ok(())when the target is a publicly-routable HTTP/S endpoint.