httpclient

package
v0.0.6 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Mar 21, 2024 License: Apache-2.0 Imports: 12 Imported by: 0

README

httpclient

Package httpclient provides a SSRF-safe HTTP client implementation.

Variables

DefaultAuthorizer exposes the default authorizer instance.

var DefaultAuthorizer = &ssrfAuthorizer{}

DefaultClient represents a safe HTTP client instance.

var DefaultClient = Safe()

Functions

func NewClient

func NewClient(az Authorizer, opts ...Option) *http.Client

NewClient is used to create a safe http client with the given authorizer implementation.

func NewRequestFilter

func NewRequestFilter(az Authorizer, next http.RoundTripper) http.RoundTripper

NewRequestFilter set up a request interceptor to authorize the request before being sent by the client.

func NewResponseFilter

func NewResponseFilter(az Authorizer, next http.RoundTripper) http.RoundTripper

NewResponseFilter set up a response interceptor to authorize a response from a client.

func Safe

func Safe(opts ...Option) *http.Client

Safe returns a safe HTTP client with the default authorizer implementation.

c := Safe()

// Query AWS Metatadata
r, err := http.NewRequestWithContext(context.Background(), http.MethodGet, "http://169.254.169.254/latest/meta-data/", nil)
if err != nil {
    panic(err)
}

resp, err := c.Do(r)
if resp != nil {
    defer resp.Body.Close()
}

Output:

Get "http://169.254.169.254/latest/meta-data/": response filter round trip failed: request filter round trip failed: dial tcp 169.254.169.254:80: tcp4/169.254.169.254:80 is not authorized by the client: "169.254.169.254" address is link local unicast
func UnSafe

func UnSafe(opts ...Option) *http.Client

UnSafe returns a HTTP client with default transport settings only.

// Create a fake http server
mockServer := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
    http.Redirect(w, r, "", http.StatusFound)
}))

c := UnSafe(
    // Reduce timeout
    WithTimeout(3*time.Second),
    // Disable keep alives
    WithDisableKeepAlives(true),
    // Default for unsafe
    WithDisableRequestFilter(true),
    // Default for unsafe
    WithDisableResponseFilter(true),
    // Enable follow redirect
    WithFollowRedirect(true),
    // Change max redirection count
    WithMaxRedirectionCount(2),
)

// Query AWS Metatadata
r, err := http.NewRequestWithContext(context.Background(), http.MethodGet, mockServer.URL, nil)
if err != nil {
    panic(err)
}

resp, err := c.Do(r)
if resp != nil {
    defer resp.Body.Close()
}

Output:

Get "/": stopped after 2 redirects

Types

type Authorizer

type Authorizer interface { ... }

Authorizer describes socket level authorization gates.

type Option

type Option func(*options)

Option represents http client functional option pattern type.

func WithDisableKeepAlives

func WithDisableKeepAlives(value bool) Option

WithDisableKeepAlives disables the keep alive feature.

func WithDisableRequestFilter

func WithDisableRequestFilter(value bool) Option

WithDisableRequestFilter disables the request filtering feature.

func WithDisableResponseFilter

func WithDisableResponseFilter(value bool) Option

WithDisableResponseFilter disables the response filtering feature.

func WithFollowRedirect

func WithFollowRedirect(value bool) Option

WithFollowRedirect disables the redirection follower feature.

func WithMaxRedirectionCount

func WithMaxRedirectionCount(value int) Option

WithMaxRedirectionCount sets the maximum redirection count before returning an error.

func WithTLSClientConfig

func WithTLSClientConfig(value *tls.Config) Option

WithTLSClientConfig sets the HTTP client TLS configuration to use for connection.

func WithTLSDialer

func WithTLSDialer(dialer func(context.Context, string, string) (net.Conn, error)) Option

WithTLSDialer sets the TLS Dialer function to use to establish the connection.

func WithTimeout

func WithTimeout(value time.Duration) Option

WithTimeout sets the client timeout.

Sub Packages

  • mock: Package mock is a generated GoMock package.

Documentation

Overview

Package httpclient provides a SSRF-safe HTTP client implementation.

Index

Examples

Constants

This section is empty.

Variables

View Source 
var DefaultAuthorizer = &ssrfAuthorizer{}

DefaultAuthorizer exposes the default authorizer instance.

View Source 
var DefaultClient = Safe()

DefaultClient represents a safe HTTP client instance.

Functions

func NewClient 

func NewClient(az Authorizer, opts ...Option) *http.Client

NewClient is used to create a safe http client with the given authorizer implementation.

func NewRequestFilter 

func NewRequestFilter(az Authorizer, next http.RoundTripper) http.RoundTripper

NewRequestFilter set up a request interceptor to authorize the request before being sent by the client.

func NewResponseFilter 

func NewResponseFilter(az Authorizer, next http.RoundTripper) http.RoundTripper

NewResponseFilter set up a response interceptor to authorize a response from a client.

func Safe 

func Safe(opts ...Option) *http.Client

Safe returns a safe HTTP client with the default authorizer implementation.

Example 
c := Safe()

// Query AWS Metatadata
r, err := http.NewRequestWithContext(context.Background(), http.MethodGet, "http://169.254.169.254/latest/meta-data/", nil)
if err != nil {
	panic(err)
}

resp, err := c.Do(r)
if resp != nil {
	defer resp.Body.Close()
}

Output:

Get "http://169.254.169.254/latest/meta-data/": response filter round trip failed: request filter round trip failed: dial tcp 169.254.169.254:80: tcp4/169.254.169.254:80 is not authorized by the client: "169.254.169.254" address is link local unicast

func UnSafe 

func UnSafe(opts ...Option) *http.Client

UnSafe returns a HTTP client with default transport settings only.

Example 
// Create a fake http server
mockServer := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
	http.Redirect(w, r, "", http.StatusFound)
}))

c := UnSafe(
	// Reduce timeout
	WithTimeout(3*time.Second),
	// Disable keep alives
	WithDisableKeepAlives(true),
	// Default for unsafe
	WithDisableRequestFilter(true),
	// Default for unsafe
	WithDisableResponseFilter(true),
	// Enable follow redirect
	WithFollowRedirect(true),
	// Change max redirection count
	WithMaxRedirectionCount(2),
)

// Query AWS Metatadata
r, err := http.NewRequestWithContext(context.Background(), http.MethodGet, mockServer.URL, nil)
if err != nil {
	panic(err)
}

resp, err := c.Do(r)
if resp != nil {
	defer resp.Body.Close()
}

Output:

Get "/": stopped after 2 redirects

Types

type Authorizer 

type Authorizer interface {
	// IsNetworkAddressAuthorized returns true if the given network/address
	// tuple is allowed.
	IsNetworkAddressAuthorized(network, address string) (bool, error)
	// IsRequestAuthorized returns true if the request is allowed.
	IsRequestAuthorized(req *http.Request) bool
	// IsResponseAuthorized returns true if the response is allowed.
	IsResponseAuthorized(res *http.Response) bool
}

Authorizer describes socket level authorization gates.

type Option 

type Option func(*options)

Option represents http client functional option pattern type.

func WithDisableKeepAlives 

func WithDisableKeepAlives(value bool) Option

WithDisableKeepAlives disables the keep alive feature.

func WithDisableRequestFilter 

func WithDisableRequestFilter(value bool) Option

WithDisableRequestFilter disables the request filtering feature.

func WithDisableResponseFilter 

func WithDisableResponseFilter(value bool) Option

WithDisableResponseFilter disables the response filtering feature.

func WithFollowRedirect 

func WithFollowRedirect(value bool) Option

WithFollowRedirect disables the redirection follower feature.

func WithMaxRedirectionCount 

func WithMaxRedirectionCount(value int) Option

WithMaxRedirectionCount sets the maximum redirection count before returning an error.

func WithTLSClientConfig 

func WithTLSClientConfig(value *tls.Config) Option

WithTLSClientConfig sets the HTTP client TLS configuration to use for connection.

func WithTLSDialer 

func WithTLSDialer(dialer func(context.Context, string, string) (net.Conn, error)) Option

WithTLSDialer sets the TLS Dialer function to use to establish the connection.

func WithTimeout 

func WithTimeout(value time.Duration) Option

WithTimeout sets the client timeout.

Source Files

View all Source files

Directories

Path Synopsis
Package mock is a generated GoMock package.
 Package mock is a generated GoMock package.

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.