-
Notifications
You must be signed in to change notification settings - Fork 30
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
Showing
10 changed files
with
109 additions
and
19 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,4 +1,4 @@ | ||
FROM ruby:2.6.0 | ||
FROM ruby:3.0.0 | ||
|
||
RUN apt update && apt-get install -y vim | ||
|
||
|
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,5 +1,6 @@ | ||
# frozen_string_literal: true | ||
|
||
require 'ssrf_filter/patch/resolv' | ||
require 'ssrf_filter/patch/ssl_socket' | ||
require 'ssrf_filter/ssrf_filter' | ||
require 'ssrf_filter/version' |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,44 @@ | ||
# frozen_string_literal: true | ||
|
||
require 'resolv' | ||
|
||
class SsrfFilter | ||
module Patch | ||
module Resolv | ||
# As described in ssl_socket.rb, we want to patch ruby's http connection code to allow us to make outbound network | ||
# requests while ensuring that both: | ||
# 1) we're connecting to a public / non-private ip address | ||
# 2) https connections continue to work | ||
# | ||
# This used to work fine prior to this change in ruby's net/http library: | ||
# https://github.com/ruby/net-http/pull/36 | ||
# After this changed was introduced our patch no longer works - we need to set the hostname to the correct | ||
# value on the SSLSocket (`s.hostname = ssl_host_address`), but that code path no longer executes due to the | ||
# modification in the linked pull request. | ||
# | ||
# To work around this we introduce the patch below, which forces our ip address string to not match against the | ||
# Resolv IPv4/IPv6 regular expressions. This is ugly and cumbersome but I didn't see any better path. | ||
class PatchedRegexp < Regexp | ||
def ===(other) | ||
if ::Thread.current.key?(::SsrfFilter::FIBER_ADDRESS_KEY) && | ||
other.object_id.equal?(::Thread.current[::SsrfFilter::FIBER_ADDRESS_KEY].object_id) | ||
false | ||
else | ||
super(other) | ||
end | ||
end | ||
end | ||
|
||
def self.apply! | ||
return if instance_variable_defined?(:@patched_resolv) | ||
|
||
@patched_resolv = true | ||
|
||
old_ipv4 = ::Resolv::IPv4.send(:remove_const, :Regex) | ||
old_ipv6 = ::Resolv::IPv6.send(:remove_const, :Regex) | ||
::Resolv::IPv4.const_set(:Regex, PatchedRegexp.new(old_ipv4)) | ||
::Resolv::IPv6.const_set(:Regex, PatchedRegexp.new(old_ipv6)) | ||
end | ||
end | ||
end | ||
end |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,33 @@ | ||
# frozen_string_literal: true | ||
|
||
describe ::SsrfFilter::Patch::Resolv do | ||
describe 'apply' do | ||
before do | ||
if described_class.instance_variable_defined?(:@patched_resolv) | ||
described_class.remove_instance_variable(:@patched_resolv) | ||
end | ||
end | ||
|
||
it 'only patches once' do | ||
expect(::Resolv::IPv4).to receive(:remove_const).once.and_call_original | ||
expect(::Resolv::IPv6).to receive(:remove_const).once.and_call_original | ||
described_class.apply! | ||
described_class.apply! | ||
end | ||
end | ||
|
||
describe ::SsrfFilter::Patch::Resolv::PatchedRegexp do | ||
it 'forces the ip regex to not match the supplied address' do | ||
# rubocop:disable Style/CaseEquality | ||
ipaddress1 = '1.2.3.4' | ||
ipaddress2 = '5.6.7.8' | ||
SsrfFilter.send(:with_forced_hostname, nil, ipaddress1) do | ||
expect(described_class.new(Resolv::IPv4::Regex) === ipaddress1).to be false | ||
expect(described_class.new(Resolv::IPv4::Regex) === ipaddress2).to be true | ||
end | ||
expect(described_class.new(Resolv::IPv4::Regex) === ipaddress1).to be true | ||
expect(described_class.new(Resolv::IPv4::Regex) === ipaddress2).to be true | ||
# rubocop:enable Style/CaseEquality | ||
end | ||
end | ||
end |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters