urlvalidate

package
v1.9.0-rc1 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Apr 24, 2026 License: AGPL-3.0 Imports: 4 Imported by: 0

Documentation

Overview

Package urlvalidate provides SSRF-prevention checks shared across packages that accept operator-supplied URLs (webhook endpoints, audit export sinks, identity provider verification callbacks, etc.).

The rules are intentionally conservative:

  • Only http and https schemes are allowed.
  • Link-local addresses (IPv4 169.254.0.0/16, IPv6 fe80::/10) are blocked because they include cloud metadata services and host-local adjacencies.
  • A small allowlist of cloud metadata hostnames is blocked outright. DNS is case-insensitive, so the comparison lowercases the hostname before matching — "Metadata.Google.Internal" must not bypass the blocklist.

Placing this in a neutral package lets both pkg/daemon and pkg/registry (which cannot import pkg/daemon) share exactly one implementation.

Index

Constants

This section is empty.

Variables

This section is empty.

Functions

func Validate 

func Validate(rawURL string) error

Validate returns nil if rawURL is an acceptable http(s) endpoint that does not point at a link-local or well-known cloud-metadata target. Callers are responsible for deciding whether an empty URL (which returns an error here) should be interpreted as "disable" before calling.

Types

This section is empty.

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.