Huge News!Announcing our $40M Series B led by Abstract Ventures.Learn More
Socket
Sign inDemoInstall
Socket

ssrfcheck

Package Overview
Dependencies
Maintainers
1
Versions
11
Alerts
File Explorer

Advanced tools

Socket logo

Install Socket

Detect and block malicious and high-risk dependencies

Install

ssrfcheck

Check if a string contains a potential SSRF attack

  • 1.1.1
  • latest
  • Source
  • npm
  • Socket score

Version published
Weekly downloads
42
decreased by-4.55%
Maintainers
1
Weekly downloads
 
Created
Source

SSRF Check

Check if a given URI-String contains a possible SSRF (Server-Side Request Forgery) attack. Zero dependencies!

Installation

npm install ssrfcheck

Usage

import { isSSRFSafeURL } from 'ssrfcheck';

const url = 'https://localhost:8080/whatever';
const result = isSSRFSafeURL(url); // false

The function returns true for a safe URL, and false for an unsafe one.

CommonJS

You can use this library as a CJS module as well

const { isSSRFSafeURL } = require('ssrfcheck');

const url = 'https://localhost:8080/whatever';
const result = isSSRFSafeURL(url); // false

CLI

npx ssrfcheck <uri> <options>

Or if you prefer, just intall the lib globaly and supress the npx:

npm install -g ssrfcheck

Usage Example:

npx ssrfcheck https://localhost:8080/whatever

The command above will output Safe for safe URLs and Danger! for the possibly vulnerable ones.

When to use it

If you have any user-input/config that receives an URL which you use to request, or any kind of dynamic data that compose a complete URL, you may be vunerable to SSRF attacks and must validate this URL. This library must be used on the backend. This library requires a valid URL to check, the minimum URL schema is: protocol://ip|top-level-domain. Exotic strings will be normalized and mounted as an https URL by default (You can change it on the param autoPrependProtocol). This means that, if you type www.example.com it will be normalized by default to https://www.example.com. If you want to test fragments or paths and not only entire URLs, you may be looking for a path traversal validator instead. Any exotic string that cannot be normalized to a valid domain are considered a threat and will cause this library to return a Danger alert, since it can be a "tricky" path combination trying to exploit your service.

Options

Function signature

function isSSRFSafeURL(url: string, options: Options): boolean

Options must be an object with the following structure:

{
  quiet: boolean,
  noIP: boolean,
  allowUsername: boolean,
  allowedProtocols: string[],
  autoPrependProtocol: string,
  allowUnsafeChars: boolean,
}

You can pass incremental options, that means: if you dont pass a value for some options, the library will provide default values.

OptionDescriptionTypeDefault
quietWhen an error occurs the function will only return false and wont throw itbooleantrue
noIPTells if the validator must automatically block any IP-URIs, e.g. https://164.456.34.44. By default IP URIs are allowed but analysed to check if there is any SSRF riskbooleanfalse
allowUsernameTells if the validator must allow URI's that contains login notation, e.g. https://test:pass@domain.com. Address like this are blocked by defaultbooleanfalse
allowedProtocolsProtocols accepted by the validatorArray[ 'http', 'https ]
autoPrependProtocolWhen passing a non schema-complete URL, tries to normalize using this protocol, e.g: a.com will be normalized to https://a.com by default. Pass false to turn off URL normalization, this will cause any non-schema-complete URL to return falsestring or falsehttps
allowUnsafeCharsBy The RFC, the following chars are forbidden as WYSIWYG in a URL and must be encoded: "<>\^`{|}. This lib prohibites them by default, mark this option as true to allow itbooleanfalse

Example

For this example, we will validate a URL but allowing login-URIs and ftp: protocol:

import { isSSRFSafeURL } from 'ssrfcheck';

const url = 'https://localhost:8080/whatever';

const result = isSSRFSafeURL(url, {
  allowUsername: true,
  allowedProtocols: [ 'http', 'https', 'ftp' ],
});

CLI Options

You can pass any options using CLI notation

OptionEquivalent
--quietquiet
--no-ipnoIP
--allow-usernameallowUsername
--allowed-protocols=allowedProtocols
--allow-unsafe-chars=allowUnsafeChars
--auto-prepend-protocol=autoPrependProtocol

Example

npx ssrfcheck ftp://user:pass@localhost:8080/whatever --allowed-protocols=ftp,http,https --allow-username

What does this Lib check?

The library checks for complete URLs focusing on the protocol and domain structure and tells whether is a possible SSRF attack or not. This library does NOT checks for path traversal attacks. The checks are made in the following order:

  • must contain a hostname
  • must not contain login-urls (e.g: https://user:pass@domain.com) (optionated)
  • cannot contain RFC forbidden chars: "<>\^`{|} (optionated)
  • cannot be a dot domain (e.g: https://./../.com) - commonly result of some trick
  • cannot be localhost or loopback domain
  • cannot be a private IP of any range
  • checks for tricks: oct domain, decimal domains, special chars, etc

If you wann know more about coverage, check the tests directory of this project. Test data lives in /tests/data folder.

Warning

This lib will NOT check SSRF attacks via redirection since it cant hook into any kind of Request. In order to prevent those kind of attacks you must disable the follow symlinks and HTTP redirections on your server. To know more about other protection layers against SSRF: https://owasp.org/Top10/A10_2021-Server-Side_Request_Forgery_%28SSRF%29/

Contribution

Sources are in /src, tests in /tests. No build needed. To run tests: npm run test. No dependencies, no install, just code and test.

LICENSE

MIT LICENSE Copyright (c) 2023 Felippe Regazio

FAQs

Package last updated on 12 Jan 2024

Did you know?

Socket

Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.

Install

Related posts

SocketSocket SOC 2 Logo

Product

  • Package Alerts
  • Integrations
  • Docs
  • Pricing
  • FAQ
  • Roadmap
  • Changelog

Packages

npm

Stay in touch

Get open source security insights delivered straight into your inbox.


  • Terms
  • Privacy
  • Security

Made with ⚡️ by Socket Inc