Skip to Content [alt-c]
In reply to Preventing Server Side Request Forgery in Golang
I was googling how to prevent SSRF in Golang and found this article published only yesterday - very serendipitous for me!
Your IPv6 blocking is missing a few other reserved addresses though - in particular it's missing the ipv4-mapped and ipv4-compatible ipv6 addresses. For instance I could make a request to the ipv6 address ::ffff:169.254.169.254 and access your cloud provider metadata service.
::ffff:169.254.169.254
If it's helpful here's the ipv6 denylist I use in my SSRF ruby gem: https://github.com/arkadiyt/ssrf_filter/blob/master/lib/ssrf_filter/ssrf_filter.rb#L45-L65
In any case this post / the network hooking was extremely helpful for me - thank you!
Reply
Your comment will be public. To contact me privately, email me. Please keep your comment polite, on-topic, and comprehensible. Your comment may be held for moderation before being published.
Your Name: (Optional; will be published)
Your Email Address: (Optional; will not be published)
Your Website: (Optional; will be published)
>
monospaced
Post a Reply
Your comment will be public. To contact me privately, email me. Please keep your comment polite, on-topic, and comprehensible. Your comment may be held for moderation before being published.