Module ssrf 

SSRF guard (F1).

Validates the resolved IP of a target URL against an operator-configured policy before the server issues an outbound request. Defaults are fail-safe: RFC 1918, RFC 4193, loopback, link-local, multicast, and cloud-metadata ranges are denied.

Upstream parity: JavaScriptSolidServer/src/utils/ssrf.js:15-157. Design context: docs/design/jss-parity/01-security-primitives-context.md.

Structs

SsrfPolicy

SSRF policy (aggregate root).

Enums

IpClass

Classification of an IP address against the SSRF-relevant address space.

SsrfError

Errors emitted while evaluating an SSRF policy.

Constants

ENV_SSRF_ALLOWLIST

Environment variable: comma-separated hostnames (or host:port) whose resolved IP is permitted regardless of classification. Operator escape hatch for known-good internal hosts.

ENV_SSRF_ALLOW_LINK_LOCAL

Environment variable: when set to 1/true, permits link-local (169.254.0.0/16, fe80::/10). Note: cloud-metadata endpoints on link-local (169.254.169.254) are classified Reserved and cannot be unlocked by this toggle.

ENV_SSRF_ALLOW_LOOPBACK

Environment variable: when set to 1/true, permits loopback (127.0.0.0/8, ::1).

ENV_SSRF_ALLOW_PRIVATE

Environment variable: when set to 1/true, permits RFC 1918 and RFC 4193 private address space.

ENV_SSRF_DENYLIST

Environment variable: comma-separated hostnames whose resolved IP is always denied, even when otherwise permitted by policy.

Functions

is_safe_url

Sync primitive: accept a URL string, parse its shape, and refuse any URL whose host is either absent or an IP literal in a blocked class.

resolve_and_check

Async primitive: resolve host via DNS and check every returned address against the restrictive default policy. Returns the first resolved address on success; if any resolved address is blocked the whole lookup is denied (we bind to the first address, so we must refuse as soon as any rebinding target is known-bad).