ssrfguard

Overview ¶

Package ssrfguard is an opt-in SSRF egress guard for flate's outbound source fetches. When flate renders UNTRUSTED input (e.g. konflate rendering a fork PR), a fork can place attacker-chosen URLs in the tree — kustomize remote resources/bases and GitRepository/OCIRepository/HelmRepository/Bucket spec.url — which flate would otherwise fetch server-side from inside the cluster, reaching cloud metadata (169.254.169.254), in-cluster services, and RFC1918/loopback hosts.

The guard installs a net.Dialer.Control hook on every fetch transport (via WrapTransport, wired into source.NewHTTPTransport, the helm getter, and the kustomize remote-fetch client). Control runs at dial time, AFTER DNS resolution, for every connection INCLUDING redirect targets, so one hook closes both DNS-rebinding and redirect SSRF without a CheckRedirect.

It is OFF by default and gated by a single process-global toggle (Restrict): flate normally renders TRUSTED repos that legitimately fetch from private/LAN hosts (self-hosted Gitea, in-cluster registries), so an always-on private block would break the common case. A consumer rendering untrusted input (konflate fork mode, or the `flate --restrict-egress` flag) turns it on. The toggle is process-global, not per-render, because go-git v5 installs its HTTPS transport on a process-global protocol map with no per-clone hook — so a per-render git egress policy is impossible, and a process-global toggle is the honest model. Set it once at process init; last writer wins.

Boundaries (deliberately NOT covered):

• A configured HTTP proxy is a trust boundary the operator owns: with Transport.Proxy set, the dial (and thus Control) sees the proxy IP, not the CONNECT target.
• SSH git (ssh://) dials via ssh.Dial, outside this HTTP transport; SSH to a metadata/RFC1918 endpoint is implausible and out of scope.
• This blocks reaching INTERNAL addresses; full egress-deny (incl. public hosts) is the consumer's NetworkPolicy job.