8 releases
0.6.3 | Oct 2, 2024 |
---|---|
0.6.1 | Sep 29, 2024 |
0.6.0 | Jul 22, 2024 |
0.5.6 |
|
#1351 in Network programming
1,263 downloads per month
Used in http-acl-reqwest
75KB
1.5K
SLoC
http-acl
An ACL for HTTP requests.
Why?
Systems which allow users to create arbitrary HTTP requests or specify arbitrary URLs to fetch like webhooks are vulnerable to SSRF attacks. An example is a malicious user could own a domain which resolves to a private IP address and then use that domain to make requests to internal services.
This crate provides a simple ACL to allow you to specify which hosts, ports, and IP ranges are allowed to be accessed. The ACL can then be used to ensure that the user's request meets the ACL's requirements before the request is made.
Usage
use http_acl::{HttpAcl, IpNet};
fn main() -> Result<(), Box<dyn std::error::Error>> {
// Create an HTTP ACL
let acl = HttpAcl::builder()
.add_allowed_host("example.com".to_string())
.unwrap()
.add_allowed_host("example.org".to_string())
.unwrap()
.add_denied_host("example.net".to_string())
.unwrap()
.add_allowed_port_range(8080..=8080)
.unwrap()
.add_denied_port_range(8443..=8443)
.unwrap()
.add_allowed_ip_range("1.0.0.0/8".parse::<IpNet>().unwrap())
.unwrap()
.add_denied_ip_range("9.0.0.0/8".parse::<IpNet>().unwrap())
.unwrap()
.build();
// Check if a request is allowed
assert!(acl.is_host_allowed("example.com").is_allowed());
assert!(acl.is_host_allowed("example.org").is_allowed());
assert!(!acl.is_host_allowed("example.net").is_allowed());
assert!(acl.is_port_allowed(8080).is_allowed());
assert!(!acl.is_port_allowed(8443).is_allowed());
assert!(acl.is_ip_allowed(&"1.1.1.1".parse().unwrap()).is_allowed());
assert!(acl.is_ip_allowed(&"9.9.9.9".parse().unwrap()).is_denied());
assert!(acl
.is_ip_allowed(&"192.168.1.1".parse().unwrap())
.is_denied());
Ok(())
}
Documentation
See docs.rs.
Dependencies
~1.4–2.3MB
~57K SLoC