Skip to Content [alt-c]

Comment

In reply to Preventing Server Side Request Forgery in Golang

Reader Arkadiy Tetelman on 2019-12-21 at 19:21:

I was googling how to prevent SSRF in Golang and found this article published only yesterday - very serendipitous for me!

Your IPv6 blocking is missing a few other reserved addresses though - in particular it's missing the ipv4-mapped and ipv4-compatible ipv6 addresses. For instance I could make a request to the ipv6 address ::ffff:169.254.169.254 and access your cloud provider metadata service.

If it's helpful here's the ipv6 denylist I use in my SSRF ruby gem: https://github.com/arkadiyt/ssrf_filter/blob/master/lib/ssrf_filter/ssrf_filter.rb#L45-L65

In any case this post / the network hooking was extremely helpful for me - thank you!

Reply

Post a Reply

Your comment will be public. If you would like to contact me privately, please email me. Please keep your comment on-topic, polite, and comprehensible.

(Optional; will be published)

(Optional; will not be published)

(Optional; will be published)

  • Blank lines separate paragraphs.
  • Lines starting with ">" are indented as block quotes.
  • Lines starting with two spaces are reproduced verbatim.
  • Text surrounded by *asterisks* is italicized.
  • Text surrounded by `back ticks` is monospaced.
  • URLs are turned into links.
  • Use the Preview button to check your formatting.