Module: ActionPushWeb::SsrfProtection

Extended by:: SsrfProtection

Included in:: SsrfProtection

Defined in:: app/models/action_push_web/ssrf_protection.rb

Constant Summary collapse

DNS_RESOLUTION_TIMEOUT =

DNS_NAMESERVERS =

%w[
  1.1.1.1
  8.8.8.8
]

DISALLOWED_IP_RANGES =

[
  IPAddr.new("0.0.0.0/8"),     # "This" network (RFC1700)
  IPAddr.new("100.64.0.0/10"), # Carrier-grade NAT (RFC6598)
  IPAddr.new("198.18.0.0/15")  # Benchmark testing (RFC2544)
].freeze

Instance Method Summary collapse

#blocked_address?(ip) ⇒ Boolean
#resolve_public_ip(hostname) ⇒ Object

Instance Method Details

#blocked_address?(ip) ⇒ `Boolean`

Returns:

(Boolean)

# File 'app/models/action_push_web/ssrf_protection.rb', line 24

def blocked_address?(ip)
  ip = IPAddr.new(ip.to_s) unless ip.is_a?(IPAddr)

  ip.private? ||
    ip.loopback? ||
    ip.link_local? ||
    ip.ipv4_mapped? ||
    ip.ipv4_compat? ||
    in_disallowed_range?(ip)
end

#resolve_public_ip(hostname) ⇒ `Object`

# File 'app/models/action_push_web/ssrf_protection.rb', line 18

def resolve_public_ip(hostname)
  ip_addresses = resolve_dns(hostname)
  public_ips = ip_addresses.reject { |ip| blocked_address?(ip) }
  public_ips.sort_by { |ipaddr| ipaddr.ipv4? ? 0 : 1 }.first&.to_s
end