Lib.rs

Network programmingHttpAcl
#http-request #acl #http #reqwest-middleware #ip #http-client #networking

http-acl-reqwest

An ACL middleware for reqwest

Owned by veeshi, nethunterslabs.

7 releases

0.5.6 Oct 30, 2023
0.5.5 Sep 19, 2023
0.5.1 Aug 7, 2023

#9 in #reqwest-middleware

Download history 3/week @ 2024-02-26 1/week @ 2024-03-11 42/week @ 2024-04-01 9/week @ 2024-04-22

51 downloads per month

Apache-2.0

80KB
1.5K SLoC

http-acl-reqwest

An ACL middleware for reqwest.

Why?

Systems which allow users to create arbitrary HTTP requests or specify arbitrary URLs to fetch like webhooks are vulnerable to SSRF attacks. An example is a malicious user could own a domain which resolves to a private IP address and then use that domain to make requests to internal services.

This crate provides a simple ACL to allow you to specify which hosts, ports, and IP ranges are allowed to be accessed. The ACL can then be used to ensure that the user's request meets the ACL's requirements before the request is made.

Usage

use http_acl_reqwest::{HttpAcl, HttpAclMiddleware};
use reqwest::Client;
use reqwest_middleware::ClientBuilder;

fn main() -> Result<(), Box<dyn std::error::Error>> {
    let acl = HttpAcl::builder()
        .add_denied_host("example.com".to_string())
        .unwrap()
        .build();

    let middleware = HttpAclMiddleware::new(acl);

    let client = ClientBuilder::new(Client::builder().build().unwrap())
        .with(middleware)
        .build();

    assert!(client.get("http://example.com/").send().await.is_err());

    Ok(())
}

Documentation

See docs.rs.

Dependencies

~4–19MB
~266K SLoC