ssrf_filter 1.1.1 → 1.1.2

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: f0230e20c7cd24b24dad277ee01042f3a4885fa68a8ea593fe0607de92023026
-  data.tar.gz: 6ce71a83907b1acfc382acc5d859a26fc1471dc3cd2dbc48d14b3e1dfca12051
+  metadata.gz: 315ab29498751c0bb60964f06932464d8663ec66e50ed403b04c2e19c9fce5e6
+  data.tar.gz: 8b3475337b149bf8e04dd11e379e9c0698f74d05528524fea847ed996aff405c
 SHA512:
-  metadata.gz: cb56468fb4bdcf10168efbc18f004d996363b9dcc8877a1fab1eff508ef1519b86c7eeb750fedd8b565a162804746f9a036b54e584520137c1c2b1a86d5c9421
-  data.tar.gz: 9d5e0ea62956d551caa2474a384fa90e827c6d133bbfe04831f77dd49cabe5bcb3abc7008eefc63bccedf1634a33bcc27f8178253ec26f7e051075dcfba7066e
+  metadata.gz: 299b91d225b906faa91a1ebd4a8ad32ce46889deaeffa89d5a7488b871310e68ed7f73332c9ee25fd0ff3d01a25dd949907a390e8ce44926910657e2fa054f3e
+  data.tar.gz: 89b6051cb2a8f232336e1e25e95a5898c71ba4439f582224452effbcc41b3a68af13d1e16d855f8ebb7634c013fefd3301c661d5d6bf72f3d98894feb867f47f

data/lib/ssrf_filter/patch/ssl_socket.rb

@@ -3,36 +3,36 @@
 class SsrfFilter
   module Patch
     module SSLSocket
-      # When fetching a url we'd like to have the following workflow:
-      # 1) resolve the hostname www.example.com, and choose a public ip address to connect to
-      # 2) connect to that specific ip address, to prevent things like DNS TOCTTOU bugs or other trickery
-      #
-      # Ideally this would happen by the ruby http library giving us control over DNS resolution,
-      # but it doesn't. Instead, when making the request we set the uri.hostname to the chosen ip address,
-      # and send a 'Host' header of the original hostname, i.e. connect to 'http://93.184.216.34/' and send
-      # a 'Host: www.example.com' header.
-      #
-      # This works for the http case, http://www.example.com. For the https case, this causes certificate
-      # validation failures, since the server certificate for https://www.example.com will not have a
-      # Subject Alternate Name for 93.184.216.34.
-      #
-      # Thus we perform the monkey-patch below, modifying SSLSocket's `post_connection_check(hostname)`
-      # and `hostname=(hostname)` methods:
-      # If our fiber local variable is set, use that for the hostname instead, otherwise behave as usual.
-      # The only time the variable will be set is if you are executing inside a `with_forced_hostname` block,
-      # which is used in ssrf_filter.rb.
-      #
-      # An alternative approach could be to pass in our own OpenSSL::X509::Store with a custom
-      # `verify_callback` to the ::Net::HTTP.start call, but this would require reimplementing certification
-      # validation, which is dangerous. This way we can piggyback on the existing validation and simply pretend
-      # that we connected to the desired hostname.
-
       def self.apply!
         return if instance_variable_defined?(:@patched_ssl_socket)
 
         @patched_ssl_socket = true
 
         ::OpenSSL::SSL::SSLSocket.class_eval do
+          # When fetching a url we'd like to have the following workflow:
+          # 1) resolve the hostname www.example.com, and choose a public ip address to connect to
+          # 2) connect to that specific ip address, to prevent things like DNS TOCTTOU bugs or other trickery
+          #
+          # Ideally this would happen by the ruby http library giving us control over DNS resolution,
+          # but it doesn't. Instead, when making the request we set the uri.hostname to the chosen ip address,
+          # and send a 'Host' header of the original hostname, i.e. connect to 'http://93.184.216.34/' and send
+          # a 'Host: www.example.com' header.
+          #
+          # This works for the http case, http://www.example.com. For the https case, this causes certificate
+          # validation failures, since the server certificate for https://www.example.com will not have a
+          # Subject Alternate Name for 93.184.216.34.
+          #
+          # Thus we perform the monkey-patch below, modifying SSLSocket's `post_connection_check(hostname)`
+          # and `hostname=(hostname)` methods:
+          # If our fiber local variable is set, use that for the hostname instead, otherwise behave as usual.
+          # The only time the variable will be set is if you are executing inside a `with_forced_hostname` block,
+          # which is used in ssrf_filter.rb.
+          #
+          # An alternative approach could be to pass in our own OpenSSL::X509::Store with a custom
+          # `verify_callback` to the ::Net::HTTP.start call, but this would require reimplementing certification
+          # validation, which is dangerous. This way we can piggyback on the existing validation and simply pretend
+          # that we connected to the desired hostname.
+
           original_post_connection_check = instance_method(:post_connection_check)
           define_method(:post_connection_check) do |hostname|
             original_post_connection_check.bind(self).call(::Thread.current[::SsrfFilter::FIBER_HOSTNAME_KEY] ||
@@ -45,6 +45,20 @@ class SsrfFilter
               original_hostname.bind(self).call(::Thread.current[::SsrfFilter::FIBER_HOSTNAME_KEY] || hostname)
             end
           end
+
+          # This patch is the successor to https://github.com/arkadiyt/ssrf_filter/pull/54
+          # Due to some changes in Ruby's net/http library (namely https://github.com/ruby/net-http/pull/36),
+          # the SSLSocket in the request was no longer getting `s.hostname` set.
+          # The original fix tried to monkey-patch the Regexp class to cause the original code path to execute,
+          # but this caused other problems (like https://github.com/arkadiyt/ssrf_filter/issues/61)
+          # This fix attempts a different approach to set the hostname on the socket
+          original_initialize = instance_method(:initialize)
+          define_method(:initialize) do |*args|
+            original_initialize.bind(self).call(*args)
+            if ::Thread.current.key?(::SsrfFilter::FIBER_HOSTNAME_KEY)
+              self.hostname = ::Thread.current[::SsrfFilter::FIBER_HOSTNAME_KEY]
+            end
+          end
         end
       end
     end

data/lib/ssrf_filter/ssrf_filter.rb

@@ -72,6 +72,7 @@ class SsrfFilter
     ::Resolv.getaddresses(hostname).map { |ip| ::IPAddr.new(ip) }
   end
 
+  DEFAULT_ALLOW_UNFOLLOWED_REDIRECTS = false
   DEFAULT_MAX_REDIRECTS = 10
 
   VERB_MAP = {
@@ -84,7 +85,6 @@ class SsrfFilter
   }.freeze
 
   FIBER_HOSTNAME_KEY = :__ssrf_filter_hostname
-  FIBER_ADDRESS_KEY = :__ssrf_filter_address
 
   class Error < ::StandardError
   end
@@ -107,14 +107,15 @@ class SsrfFilter
   %i[get put post delete head patch].each do |method|
     define_singleton_method(method) do |url, options = {}, &block|
       ::SsrfFilter::Patch::SSLSocket.apply!
-      ::SsrfFilter::Patch::Resolv.apply!
 
       original_url = url
-      scheme_whitelist = options[:scheme_whitelist] || DEFAULT_SCHEME_WHITELIST
-      resolver = options[:resolver] || DEFAULT_RESOLVER
-      max_redirects = options[:max_redirects] || DEFAULT_MAX_REDIRECTS
+      scheme_whitelist = options.fetch(:scheme_whitelist, DEFAULT_SCHEME_WHITELIST)
+      resolver = options.fetch(:resolver, DEFAULT_RESOLVER)
+      allow_unfollowed_redirects = options.fetch(:allow_unfollowed_redirects, DEFAULT_ALLOW_UNFOLLOWED_REDIRECTS)
+      max_redirects = options.fetch(:max_redirects, DEFAULT_MAX_REDIRECTS)
       url = url.to_s
 
+      response = nil
       (max_redirects + 1).times do
         uri = URI(url)
 
@@ -133,6 +134,8 @@ class SsrfFilter
         return response if url.nil?
       end
 
+      return response if allow_unfollowed_redirects
+
       raise TooManyRedirects, "Got #{max_redirects} redirects fetching #{original_url}"
     end
   end
@@ -189,20 +192,20 @@ class SsrfFilter
     http_options = options[:http_options] || {}
     http_options[:use_ssl] = (uri.scheme == 'https')
 
-    with_forced_hostname(hostname, ip) do
+    with_forced_hostname(hostname) do
       ::Net::HTTP.start(uri.hostname, uri.port, **http_options) do |http|
-        http.request(request) do |response|
-          case response
-          when ::Net::HTTPRedirection
-            url = response['location']
-            # Handle relative redirects
-            url = "#{uri.scheme}://#{hostname}:#{uri.port}#{url}" if url.start_with?('/')
-            return nil, url
-          else
-            block&.call(response)
-            return response, nil
-          end
+        response = http.request(request) do |res|
+          block&.call(res)
+        end
+        case response
+        when ::Net::HTTPRedirection
+          url = response['location']
+          # Handle relative redirects
+          url = "#{uri.scheme}://#{hostname}:#{uri.port}#{url}" if url.start_with?('/')
+        else
+          url = nil
         end
+        return response, url
       end
     end
   end
@@ -221,13 +224,11 @@ class SsrfFilter
   end
   private_class_method :validate_request
 
-  def self.with_forced_hostname(hostname, ip, &_block)
+  def self.with_forced_hostname(hostname, &_block)
     ::Thread.current[FIBER_HOSTNAME_KEY] = hostname
-    ::Thread.current[FIBER_ADDRESS_KEY] = ip
     yield
   ensure
     ::Thread.current[FIBER_HOSTNAME_KEY] = nil
-    ::Thread.current[FIBER_ADDRESS_KEY] = nil
   end
   private_class_method :with_forced_hostname
 end

data/lib/ssrf_filter/version.rb

@@ -1,5 +1,5 @@
 # frozen_string_literal: true
 
 class SsrfFilter
-  VERSION = '1.1.1'
+  VERSION = '1.1.2'
 end

data/lib/ssrf_filter.rb

@@ -1,6 +1,5 @@
 # frozen_string_literal: true
 
-require 'ssrf_filter/patch/resolv'
 require 'ssrf_filter/patch/ssl_socket'
 require 'ssrf_filter/ssrf_filter'
 require 'ssrf_filter/version'

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: ssrf_filter
 version: !ruby/object:Gem::Version
-  version: 1.1.1
+  version: 1.1.2
 platform: ruby
 authors:
 - Arkadiy Tetelman
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2022-09-01 00:00:00.000000000 Z
+date: 2023-09-01 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: bundler-audit
@@ -44,14 +44,14 @@ dependencies:
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 3.11.0
+        version: 3.12.0
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 3.11.0
+        version: 3.12.0
 - !ruby/object:Gem::Dependency
   name: rubocop
   requirement: !ruby/object:Gem::Requirement
@@ -86,14 +86,14 @@ dependencies:
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 0.21.2
+        version: 0.22.0
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 0.21.2
+        version: 0.22.0
 - !ruby/object:Gem::Dependency
   name: simplecov-lcov
   requirement: !ruby/object:Gem::Requirement
@@ -144,7 +144,6 @@ extensions: []
 extra_rdoc_files: []
 files:
 - lib/ssrf_filter.rb
-- lib/ssrf_filter/patch/resolv.rb
 - lib/ssrf_filter/patch/ssl_socket.rb
 - lib/ssrf_filter/ssrf_filter.rb
 - lib/ssrf_filter/version.rb
@@ -168,7 +167,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubygems_version: 3.0.3
+rubygems_version: 3.3.7
 signing_key:
 specification_version: 4
 summary: A gem that makes it easy to prevent server side request forgery (SSRF) attacks

data/lib/ssrf_filter/patch/resolv.rb

@@ -1,44 +0,0 @@
-# frozen_string_literal: true
-
-require 'resolv'
-
-class SsrfFilter
-  module Patch
-    module Resolv
-      # As described in ssl_socket.rb, we want to patch ruby's http connection code to allow us to make outbound network
-      # requests while ensuring that both:
-      # 1) we're connecting to a public / non-private ip address
-      # 2) https connections continue to work
-      #
-      # This used to work fine prior to this change in ruby's net/http library:
-      # https://github.com/ruby/net-http/pull/36
-      # After this changed was introduced our patch no longer works - we need to set the hostname to the correct
-      # value on the SSLSocket (`s.hostname = ssl_host_address`), but that code path no longer executes due to the
-      # modification in the linked pull request.
-      #
-      # To work around this we introduce the patch below, which forces our ip address string to not match against the
-      # Resolv IPv4/IPv6 regular expressions. This is ugly and cumbersome but I didn't see any better path.
-      class PatchedRegexp < Regexp
-        def ===(other)
-          if ::Thread.current.key?(::SsrfFilter::FIBER_ADDRESS_KEY) &&
-             other.object_id.equal?(::Thread.current[::SsrfFilter::FIBER_ADDRESS_KEY].object_id)
-            false
-          else
-            super(other)
-          end
-        end
-      end
-
-      def self.apply!
-        return if instance_variable_defined?(:@patched_resolv)
-
-        @patched_resolv = true
-
-        old_ipv4 = ::Resolv::IPv4.send(:remove_const, :Regex)
-        old_ipv6 = ::Resolv::IPv6.send(:remove_const, :Regex)
-        ::Resolv::IPv4.const_set(:Regex, PatchedRegexp.new(old_ipv4))
-        ::Resolv::IPv6.const_set(:Regex, PatchedRegexp.new(old_ipv6))
-      end
-    end
-  end
-end