Skip to main content

SsrfPolicy

solid_pod_rs::security::ssrf

Struct SsrfPolicy

pub struct SsrfPolicy { /* private fields */ }

Expand description

SSRF policy (aggregate root).

Immutable after construction. To change the effective policy, build a new one and swap it atomically in the enclosing service state.

Implementations§

impl SsrfPolicy

pub fn new() -> Self

Construct a maximally restrictive default policy: all non-public classes blocked, no allowlist, no denylist, no metrics sink. Prefer SsrfPolicy::from_env for production; use SsrfPolicy::new only for tests and examples where the caller fully controls the policy shape.

pub fn from_env() -> Self

Load policy from the process environment. All toggles default to false; lists default to empty.

SSRF_ALLOW_PRIVATE=1 — permit RFC 1918 / RFC 4193
SSRF_ALLOW_LOOPBACK=1 — permit 127/8, ::1
SSRF_ALLOW_LINK_LOCAL=1 — permit 169.254/16, fe80::/10
SSRF_ALLOWLIST=host1,host2 — hostname-keyed allowlist
SSRF_DENYLIST=host3,host4 — hostname-keyed denylist

pub fn with_metrics(self, metrics: SecurityMetrics) -> Self

Attach a metrics sink; counters are incremented on every block/deny event, labelled by IpClass.

pub fn with_allowlist(self, hosts: Vec<String>) -> Self

Replace the allowlist. Hostnames are stored verbatim and compared case-insensitively at check time.

pub fn with_denylist(self, hosts: Vec<String>) -> Self

Replace the denylist.

pub fn with_allow_private(self, allow: bool) -> Self

Override the private-space toggle.

pub fn with_allow_loopback(self, allow: bool) -> Self

Override the loopback toggle.

pub fn with_allow_link_local(self, allow: bool) -> Self

Override the link-local toggle.

pub fn classify(ip: IpAddr) -> IpClass

Classify an IP. Pure, total function over IpAddr.

pub async fn resolve_and_check(&self, url: &Url) -> Result<IpAddr, SsrfError>

Resolve url’s host to an IP and enforce the policy.

Returns the resolved IpAddr so callers can bind the subsequent socket connect to the same address, defeating DNS rebinding. On policy violation returns SsrfError::BlockedClass or SsrfError::Denylisted and increments the metrics counter labelled by the violating class.

The allowlist short-circuits classification; a host on the allowlist is permitted regardless of IP class. The denylist overrides all permissive checks (including the allowlist) — a host on both lists is denied.

Trait Implementations§

impl Clone for SsrfPolicy

fn clone(&self) -> SsrfPolicy

Returns a duplicate of the value. Read more

1.0.0 (const: unstable) · Source§

fn clone_from(&mut self, source: &Self)

Performs copy-assignment from source. Read more

impl Debug for SsrfPolicy

fn fmt(&self, f: &mut Formatter<'_>) -> Result

Formats the value using the given formatter. Read more

impl Default for SsrfPolicy

fn default() -> Self

Returns the “default value” for a type. Read more

Auto Trait Implementations§

impl Freeze for SsrfPolicy

impl RefUnwindSafe for SsrfPolicy

impl Send for SsrfPolicy

impl Sync for SsrfPolicy

impl Unpin for SsrfPolicy

impl UnsafeUnpin for SsrfPolicy

impl UnwindSafe for SsrfPolicy

Blanket Implementations§

impl<T> Any for T
where T: 'static + ?Sized,

fn type_id(&self) -> TypeId

Gets the TypeId of self. Read more

impl<T> Borrow<T> for T
where T: ?Sized,

fn borrow(&self) -> &T

Immutably borrows from an owned value. Read more

impl<T> BorrowMut<T> for T
where T: ?Sized,

fn borrow_mut(&mut self) -> &mut T

Mutably borrows from an owned value. Read more

impl<T> CloneToUninit for T
where T: Clone,

unsafe fn clone_to_uninit(&self, dest: *mut u8)

🔬This is a nightly-only experimental API. (clone_to_uninit)

Performs copy-assignment from self to dest. Read more

impl<T> From<T> for T

fn from(t: T) -> T

Returns the argument unchanged.

impl<T> Instrument for T

fn instrument(self, span: Span) -> Instrumented<Self>

Instruments this type with the provided Span, returning an Instrumented wrapper. Read more

fn in_current_span(self) -> Instrumented<Self>

Instruments this type with the current Span, returning an Instrumented wrapper. Read more

impl<T, U> Into<U> for T
where U: From<T>,

fn into(self) -> U

Calls U::from(self).

That is, this conversion is whatever the implementation of From<T> for U chooses to do.

impl<T> PolicyExt for T
where T: ?Sized,

fn and<P, B, E>(self, other: P) -> And<T, P>
where T: Policy<B, E>, P: Policy<B, E>,

Create a new Policy that returns Action::Follow only if self and other return Action::Follow. Read more

fn or<P, B, E>(self, other: P) -> Or<T, P>
where T: Policy<B, E>, P: Policy<B, E>,

Create a new Policy that returns Action::Follow if either self or other returns Action::Follow. Read more

impl<T> Same for T

type Output = T

Should always be Self

impl<T> ToOwned for T
where T: Clone,

type Owned = T

The resulting type after obtaining ownership.

fn to_owned(&self) -> T

Creates owned data from borrowed data, usually by cloning. Read more

fn clone_into(&self, target: &mut T)

Uses borrowed data to replace owned data, usually by cloning. Read more

impl<T, U> TryFrom<U> for T
where U: Into<T>,

type Error = Infallible

The type returned in the event of a conversion error.

fn try_from(value: U) -> Result<T, <T as TryFrom<U>>::Error>

Performs the conversion.

impl<T, U> TryInto<U> for T
where U: TryFrom<T>,

type Error = <U as TryFrom<T>>::Error

The type returned in the event of a conversion error.

fn try_into(self) -> Result<U, <U as TryFrom<T>>::Error>

Performs the conversion.

impl<V, T> VZip<V> for T
where V: MultiLane<T>,

fn vzip(self) -> V

impl<T> WithSubscriber for T

fn with_subscriber<S>(self, subscriber: S) -> WithDispatch<Self>
where S: Into<Dispatch>,

Attaches the provided Subscriber to this type, returning a WithDispatch wrapper. Read more

fn with_current_subscriber(self) -> WithDispatch<Self>

Attaches the current default Subscriber to this type, returning a WithDispatch wrapper. Read more