ssrf

package
v0.11.4 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Mar 5, 2026 License: MIT Imports: 9 Imported by: 0

Documentation

Index

Constants

This section is empty.

Variables

View Source 
var (
	// ErrPrivateIP is returned when a connection to a private or internal IP is blocked.
	ErrPrivateIP = errors.New("connection to private or internal IP address is not allowed")
	// ErrInvalidScheme is returned when a URL scheme is not http or https.
	ErrInvalidScheme = errors.New("URL must use http or https scheme")
	// ErrInvalidURL is returned when a URL is invalid.
	ErrInvalidURL = errors.New("invalid URL")
)

Functions

func NewSecureClient 

func NewSecureClient() *http.Client

NewSecureClient returns an HTTP client with SSRF protection. It validates resolved IPs at dial time to block connections to private and internal networks. Since validation uses the already-resolved IP from the Transport's DNS lookup, there is no TOCTOU gap between resolution and connection. Redirects are disabled to match the webhook client convention and prevent redirect-based SSRF.

func ValidateIPBeforeDial 

func ValidateIPBeforeDial(ip net.IP) error

ValidateIPBeforeDial validates an IP address before establishing a connection. This prevents DNS rebinding attacks by checking the resolved IP at dial time.

func ValidateURL 

func ValidateURL(rawURL string) error

ValidateURL validates that a URL is safe to make requests to. It checks that the scheme is http/https, the hostname is not localhost, and all resolved IPs are public.

Types

This section is empty.

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.