open_graph_fetcher 0.1.0 → 0.2.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 46670fff3dd827c35482bd63b1c246aa876fd85f82b3fdff752144e4f07e537b
-  data.tar.gz: a260be55faeb2038d4aeacfa9d419a1b7301ec023d327eb51fc2d5a1992ff260
+  metadata.gz: 0c8d1c67970ce91969c7caa437fba256fc1527f46006a10b8576bcd2f52fc774
+  data.tar.gz: 8e994a0fd3b384367c42ab93b73bd9185fa506e1f2af6a702a125bc26314b2a6
 SHA512:
-  metadata.gz: f23ee76f381d04b9fcc1bb60eb2f1baf4a438647009987a072f7a23334008a18614f11bb9a9cf74065e5deb695f65a3d8bed786ea2e6f32137c61a4c14a4ae06
-  data.tar.gz: 005b86f83da1f16ce55998bcefc1bceb93c0e0137bccab08e72ad1da2e749077fe2a0f5e85cd0bbf6abc005181cb16c2abab01adc1e2fa623344146743d198a7
+  metadata.gz: b6d51a0157d6b3088a8f6a8f4bb31243736300fc6bc891ecaafb6b4aa2907236b0b1e45f4e1a22c40c935a4287e3b9ada4509e40c37bbef466c1ce9ae5da2cbe
+  data.tar.gz: 678eab6e764a9ad9fc85c8e09a5b5918409f88a5fc293022c9fa847e3283bd0bc90a37700dd87c36d474566ce13047e7b57a1d8524e635b3ad54952d659ab7bb

data/README.md

@@ -3,10 +3,11 @@
 Fetch Open Graph metadata in a safer way.
 
 - Includes some mitigations for SSRF attacks
-- Blocks private and local IP ranges
+- Blocks the direct usage of IP addresses in URLs
+- Blocks private and local IP ranges (after DNS resolution)
 - Avoids TOC/TOU when connecting to the IP
 - Supports only HTTPS on the standard port (443)
-- Includes request timeouts
+- Includes request timeouts (for DNS and HTTP)
 - Avoids redirects
 - Allows only text/html responses
 - Returns only known OG properties and nothing else

data/examples/fetch.rb

@@ -0,0 +1,6 @@
+require 'open_graph_fetcher'
+
+url = "https://ogp.me"
+fetcher = OpenGraphFetcher::Fetcher.new(url)
+og_data = fetcher.fetch
+puts og_data

data/lib/open_graph_fetcher/errors.rb

@@ -3,6 +3,7 @@ module OpenGraphFetcher
 
   class InvalidSchemeError < Error; end
   class InvalidPortError < Error; end
+  class InvalidHostError < Error; end
   class IPResolutionError < Error; end
   class PrivateIPError < Error; end
   class FetchError < Error; end

data/lib/open_graph_fetcher/fetcher.rb

@@ -7,6 +7,7 @@ module OpenGraphFetcher
   class Fetcher
     OG_PROPERTIES = %w[title type image url description].freeze
     
+    DNS_TIMEOUT = 3
     OPEN_TIMEOUT = 3
     READ_TIMEOUT = 3
 
@@ -22,6 +23,7 @@ module OpenGraphFetcher
       uri = URI.parse(@url)
       raise InvalidSchemeError, "Only HTTPS URLs are allowed" unless uri.scheme == "https"
       raise InvalidPortError, "Only the default HTTPS port (443) is allowed" if uri.port && uri.port != 443
+      raise InvalidHostError, "Using an IP as host is not allowed" if ip_address?(uri.hostname)
 
       ip_address = resolve_ip(uri)
       raise PrivateIPError, "Resolved IP address is in a private or reserved range" if private_ip?(ip_address)
@@ -36,10 +38,17 @@ module OpenGraphFetcher
     private
 
     def resolve_ip(uri)
-      Resolv.getaddress(uri.host)
+      Resolv::DNS.open do |dns|
+        dns.timeouts = DNS_TIMEOUT
+        dns.getaddress(uri.hostname).to_s
+      end
     rescue Resolv::ResolvError => e
       raise IPResolutionError, "Could not resolve IP: #{e.message}"
     end
+    
+    def ip_address?(host)
+      host =~ Resolv::IPv4::Regex || host =~ Resolv::IPv6::Regex
+    end
 
     def private_ip?(ip)
       ip_addr = IPAddr.new(ip)

data/lib/open_graph_fetcher/version.rb

@@ -1,3 +1,3 @@
 module OpenGraphFetcher
-  VERSION = '0.1.0'.freeze
+  VERSION = '0.2.0'.freeze
 end

data/spec/fetcher_spec.rb

@@ -4,7 +4,7 @@ require 'webmock/rspec'
 RSpec.describe OpenGraphFetcher::Fetcher do
 
   before do
-    allow(Resolv).to receive(:getaddress).and_return("203.0.113.0")
+    allow(Resolv::DNS).to receive(:open).and_return("203.0.113.0")
   end
 
   describe ".fetch" do
@@ -51,20 +51,26 @@ RSpec.describe OpenGraphFetcher::Fetcher do
         expect { OpenGraphFetcher::Fetcher.fetch("https://example.com:8443") }.to raise_error(OpenGraphFetcher::InvalidPortError)
       end
     end
+    
+    context "when given a URL with an IP address" do
+      it "raises an InvalidHostError" do
+        expect { OpenGraphFetcher::Fetcher.fetch("https://203.0.113.0/test") }.to raise_error(OpenGraphFetcher::InvalidHostError)
+      end
+    end
 
     context "when the IP address cannot be resolved" do
       it "raises an IPResolutionError with an appropriate error message" do
-        allow(Resolv).to receive(:getaddress).and_raise(Resolv::ResolvError, "DNS resolution failed")
+        allow(Resolv::DNS).to receive(:open).and_raise(Resolv::ResolvError, "DNS resolution failed")
 
-        expect { OpenGraphFetcher::Fetcher.fetch("https://nonexistent-domain.com") }.to raise_error(OpenGraphFetcher::IPResolutionError, /Could not resolve IP: DNS resolution failed/)
+        expect { OpenGraphFetcher::Fetcher.fetch("https://nonexistent.example.com") }.to raise_error(OpenGraphFetcher::IPResolutionError, /Could not resolve IP: DNS resolution failed/)
       end
     end
 
     context "when the resolved IP address is private" do
       it "raises a PrivateIPError" do
-        allow(Resolv).to receive(:getaddress).with("10.0.0.1").and_return("10.0.0.1")
+        allow(Resolv::DNS).to receive(:open).and_return("10.0.0.1")
 
-        expect { OpenGraphFetcher::Fetcher.fetch("https://10.0.0.1") }.to raise_error(OpenGraphFetcher::PrivateIPError)
+        expect { OpenGraphFetcher::Fetcher.fetch("https://ssrf.example.com") }.to raise_error(OpenGraphFetcher::PrivateIPError)
       end
     end
 

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: open_graph_fetcher
 version: !ruby/object:Gem::Version
-  version: 0.1.0
+  version: 0.2.0
 platform: ruby
 authors:
 - Marco Colli
@@ -63,6 +63,7 @@ files:
 - Gemfile
 - LICENSE
 - README.md
+- examples/fetch.rb
 - lib/open_graph_fetcher.rb
 - lib/open_graph_fetcher/errors.rb
 - lib/open_graph_fetcher/fetcher.rb