npm package discovery and stats viewer.

Discover Tips

  • General search

    [free text search, go nuts!]

  • Package details

    pkg:[package-name]

  • User packages

    @[username]

Sponsor

Optimize Toolset

I’ve always been into building performant and accessible sites, but lately I’ve been taking it extremely seriously. So much so that I’ve been building a tool to help me optimize and monitor the sites that I build to make sure that I’m making an attempt to offer the best experience to those who visit them. If you’re into performant, accessible and SEO friendly sites, you might like it too! You can check it out at Optimize Toolset.

About

Hi, 👋, I’m Ryan Hefner  and I built this site for me, and you! The goal of this site was to provide an easy way for me to check the stats on my npm packages, both for prioritizing issues and updates, and to give me a little kick in the pants to keep up on stuff.

As I was building it, I realized that I was actually using the tool to build the tool, and figured I might as well put this out there and hopefully others will find it to be a fast and useful way to search and browse npm packages as I have.

If you’re interested in other things I’m working on, follow me on Twitter or check out the open source projects I’ve been publishing on GitHub.

I am also working on a Twitter bot for this site to tweet the most popular, newest, random packages from npm. Please follow that account now and it will start sending out packages soon–ish.

Open Software & Tools

This site wouldn’t be possible without the immense generosity and tireless efforts from the people who make contributions to the world and share their work via open source initiatives. Thank you 🙏

© 2024 – Pkg Stats / Ryan Hefner

ssrfcheck

v1.1.1

Published

Check if a string contains a potential SSRF attack

Downloads

412

Vulnerabilities

Powered byPowered by Snyk
  • 0High
  • 0Medium
  • 0Low

Links

Git

Maintainers

felipperegaziofelipperegazio

Keywords

Readme

SSRF Check

Check if a given URI-String contains a possible SSRF (Server-Side Request Forgery) attack. Zero dependencies!

Installation

npm install ssrfcheck

Usage

import { isSSRFSafeURL } from 'ssrfcheck';

const url = 'https://localhost:8080/whatever';
const result = isSSRFSafeURL(url); // false

The function returns true for a safe URL, and false for an unsafe one.

CommonJS

You can use this library as a CJS module as well

const { isSSRFSafeURL } = require('ssrfcheck');

const url = 'https://localhost:8080/whatever';
const result = isSSRFSafeURL(url); // false

CLI

npx ssrfcheck <uri> <options>

Or if you prefer, just intall the lib globaly and supress the npx:

npm install -g ssrfcheck

Usage Example:

npx ssrfcheck https://localhost:8080/whatever

The command above will output Safe for safe URLs and Danger! for the possibly vulnerable ones.

When to use it

If you have any user-input/config that receives an URL which you use to request, or any kind of dynamic data that compose a complete URL, you may be vunerable to SSRF attacks and must validate this URL. This library must be used on the backend. This library requires a valid URL to check, the minimum URL schema is: protocol://ip|top-level-domain. Exotic strings will be normalized and mounted as an https URL by default (You can change it on the param autoPrependProtocol). This means that, if you type www.example.com it will be normalized by default to https://www.example.com. If you want to test fragments or paths and not only entire URLs, you may be looking for a path traversal validator instead. Any exotic string that cannot be normalized to a valid domain are considered a threat and will cause this library to return a Danger alert, since it can be a "tricky" path combination trying to exploit your service.

Options

Function signature

function isSSRFSafeURL(url: string, options: Options): boolean

Options must be an object with the following structure:

{
  quiet: boolean,
  noIP: boolean,
  allowUsername: boolean,
  allowedProtocols: string[],
  autoPrependProtocol: string,
  allowUnsafeChars: boolean,
}

You can pass incremental options, that means: if you dont pass a value for some options, the library will provide default values.

|Option|Description|Type|Default| |--|--|--|---| |quiet|When an error occurs the function will only return false and wont throw it|boolean|true| |noIP|Tells if the validator must automatically block any IP-URIs, e.g. https://164.456.34.44. By default IP URIs are allowed but analysed to check if there is any SSRF risk|boolean|false| |allowUsername|Tells if the validator must allow URI's that contains login notation, e.g. https://test:[email protected]. Address like this are blocked by default|boolean|false| |allowedProtocols| Protocols accepted by the validator|Array|[ 'http', 'https ]| |autoPrependProtocol|When passing a non schema-complete URL, tries to normalize using this protocol, e.g: a.com will be normalized to https://a.com by default. Pass false to turn off URL normalization, this will cause any non-schema-complete URL to return false|string or false|https| |allowUnsafeChars|By The RFC, the following chars are forbidden as WYSIWYG in a URL and must be encoded: "<>\^`{|}. This lib prohibites them by default, mark this option as true to allow it|boolean|false|

Example

For this example, we will validate a URL but allowing login-URIs and ftp: protocol:

import { isSSRFSafeURL } from 'ssrfcheck';

const url = 'https://localhost:8080/whatever';

const result = isSSRFSafeURL(url, {
  allowUsername: true,
  allowedProtocols: [ 'http', 'https', 'ftp' ],
});

CLI Options

You can pass any options using CLI notation

|Option|Equivalent| |--|--| |--quiet|quiet| |--no-ip|noIP| |--allow-username|allowUsername| |--allowed-protocols=|allowedProtocols| |--allow-unsafe-chars=|allowUnsafeChars| |--auto-prepend-protocol=|autoPrependProtocol|

Example

npx ssrfcheck ftp://user:pass@localhost:8080/whatever --allowed-protocols=ftp,http,https --allow-username

What does this Lib check?

The library checks for complete URLs focusing on the protocol and domain structure and tells whether is a possible SSRF attack or not. This library does NOT checks for path traversal attacks. The checks are made in the following order:

  • must contain a hostname
  • must not contain login-urls (e.g: https://user:[email protected]) (optionated)
  • cannot contain RFC forbidden chars: "<>\^`{|} (optionated)
  • cannot be a dot domain (e.g: https://./../.com) - commonly result of some trick
  • cannot be localhost or loopback domain
  • cannot be a private IP of any range
  • checks for tricks: oct domain, decimal domains, special chars, etc

If you wann know more about coverage, check the tests directory of this project. Test data lives in /tests/data folder.

Warning

This lib will NOT check SSRF attacks via redirection since it cant hook into any kind of Request. In order to prevent those kind of attacks you must disable the follow symlinks and HTTP redirections on your server. To know more about other protection layers against SSRF: https://owasp.org/Top10/A10_2021-Server-Side_Request_Forgery_%28SSRF%29/

Contribution

Sources are in /src, tests in /tests. No build needed. To run tests: npm run test. No dependencies, no install, just code and test.

LICENSE

MIT LICENSE Copyright (c) 2023 Felippe Regazio