ssrfs-up-v2 0.21.2

data/lib/ssrfs-up.rb

@@ -0,0 +1,201 @@
+require "aws-sdk-lambda"
+require "uri"
+require "ssrfs-up/version"
+require "ostruct"
+require "ssrf_filter"
+require "cgi"
+
+# Common files
+require "openapi_client/lib/openapi_client/api_client"
+require "openapi_client/lib/openapi_client/api_error"
+require "openapi_client/lib/openapi_client/version"
+require "openapi_client/lib/openapi_client/configuration"
+
+# Models
+require "openapi_client/lib/openapi_client/models/content_type"
+require "openapi_client/lib/openapi_client/models/method"
+require "openapi_client/lib/openapi_client/models/redirect"
+require "openapi_client/lib/openapi_client/models/request"
+require "openapi_client/lib/openapi_client/models/response"
+require "openapi_client/lib/openapi_client/models/response_error"
+require "openapi_client/lib/openapi_client/models/response_success"
+
+# APIs
+require "openapi_client/lib/openapi_client/api/default_api"
+##
+# This module contains the AWS lambda client and helper methods to easily
+# make requests to it. All methods take a hostname or URI and a hash or options
+# for the request.
+module SSRFsUp
+  class Configuration
+    attr_accessor :func_name, :invoke_type, :log_type, :region, :test, :proxy
+
+    def initialize
+      @func_name = "arn:aws:lambda:us-west-2:871040364337:function:sec-czi-sec-ssrfs-up:sec-czi-sec-ssrfs-up"
+      @invoke_type = "RequestResponse"
+      @log_type = "None"
+      @region = "us-west-2"
+      @test = false
+      @proxy = true
+    end
+  end
+
+  class << self
+    attr_accessor :config, :client
+
+    # These methods take a string like "www.google.com" or "https://google.com" and parse
+    # the respective parameters from the string to make the request. If only a hostname
+    # is provided, the default options are applied. A hash of options can also be
+    # supplied to configure the request. The set of options can be found at
+    # https://github.com/chanzuckerberg/SSRFs-Up/blob/0e18fd30bee3f2b99ff4bc512cb967b83e8d9dcb/openapi.yaml#L97-L119
+    def do(method, host, opts = {})
+      case method.downcase
+      when "get"
+        get(host, opts)
+      when "put"
+        put(host, opts)
+      when "post"
+        post(host, opts)
+      when "patch"
+        patch(host, opts)
+      when "delete"
+        delete(host, opts)
+      end
+    end
+
+    # convenience method for making a GET request with do.
+    def get(host, opts = {})
+      opts[:method] = "GET"
+      invoke(host, opts)
+    end
+
+    # convenience method for making a PUT request with do.
+    def put(host, opts = {})
+      opts[:method] = "PUT"
+      invoke(host, opts)
+    end
+
+    # convenience method for making a POST request with do.
+    def post(host, opts = {})
+      opts[:method] = "POST"
+      invoke(host, opts)
+    end
+
+    # convenience method for making a patch request with do.
+    def patch(host, opts = {})
+      opts[:method] = "PATCH"
+      invoke(host, opts)
+    end
+
+    # convenience method for making a DELETE request with do.
+    def delete(host, opts = {})
+      opts[:method] = "DELETE"
+      invoke(host, opts)
+    end
+
+    # takes an ambiguous string or URI and sets the appropriate options based
+    # on if it can be parsed as URI object. If it can't, then the string is assumed
+    # to be a hostname only.
+    def parseAsUri(uri = "")
+      uri = uri.to_s
+      opts = { :host => uri.split("/")[0].split("?")[0].split("#")[0] }
+      u = URI(uri)
+
+      # if the scheme was present, we can parse most of the options from the URI.
+      # otherwise, we can assume the URI was an actual hostname
+      unless u.scheme.nil?
+        opts[:secure] = !(u.scheme == "http")
+        opts[:host] = u.host
+        opts[:path] = u.path unless u.path == ""
+        opts[:params] = CGI.parse(u.query) unless u.query.nil?
+      end
+      opts
+    end
+
+    # converts a hash of options to a valid OpenapiClient Request so that it
+    # can be properly consumed by the lambda.
+    def toOpenAPIClient(opts = {})
+      OpenapiClient::Request.new(opts).to_hash
+    end
+
+    # configures the SSRFsUp module and recreates the AWS Lambda Client from
+    # the updated configuration.
+    def configure
+      yield(configuration)
+      @client = Aws::Lambda::Client.new({ region: configuration.region, stub_responses: configuration.test })
+    end
+
+    def configuration
+      @config ||= Configuration.new
+    end
+
+    def client
+      @client ||= Aws::Lambda::Client.new(region: configuration.region)
+    end
+
+    def fast_check(host, opts)
+      scheme = opts[:secure] ? "https://" : "http://"
+      path = opts[:path].nil? ? "" : opts[:path]
+      params = opts[:params].nil? ? "" : "?" + URI.encode_www_form(opts[:params])
+      url = scheme + host + path + params
+
+      filter_opts = { :max_redirects => opts[:redirect].nil? ? 3 : opts[:redirect] }
+      filter_opts[:params] = opts[:params] unless opts[:params].nil?
+      filter_opts[:body] = opts[:body] unless opts[:body].nil?
+      filter_opts[:headers] = opts[:headers] unless opts[:headers].nil?
+
+      begin
+        case opts[:method].downcase
+        when "get"
+          resp = SsrfFilter.get(url, filter_opts)
+        when "put"
+          resp = SsrfFilter.put(url, filter_opts)
+        when "post"
+          resp = SsrfFilter.post(url, filter_opts)
+        when "delete"
+          resp = SsrfFilter.delete(url, filter_opts)
+        when "patch"
+          return { status_code: 404, status_text: "Unsupported method", body: "Cannot use patch with fast path." }
+        end
+
+        { status_code: resp.code.to_i, status_text: resp.message, body: resp.body }
+      rescue SsrfFilter::PrivateIPAddress => exception
+        { status_code: 404, status_text: "Invalid destination", body: exception.to_s }
+      end
+    end
+
+    # invokes the lambda with the provided arguments. It handles all lambda
+    # related errors so developers should assume the data they receive back is straight
+    # from the server they are speaking to.
+    def invoke(host = nil, opts = {})
+      opts = opts.merge(parseAsUri(host))
+      if (!opts[:proxy].nil? && !opts[:proxy]) || !configuration.proxy
+        OpenStruct.new(fast_check(opts[:host], opts))
+      else
+        begin
+          resp = client.invoke({
+            function_name: configuration.func_name,
+            invocation_type: configuration.invoke_type,
+            log_type: configuration.log_type,
+            payload: payload(opts),
+          })
+
+          if resp["status_code"] == 200
+            OpenStruct.new(JSON.parse(resp&.payload&.string))
+          else
+            OpenStruct.new({ body: "", status_code: resp[status_code], status_text: "500 Error with proxy" })
+          end
+        rescue StandardError => e
+          # fall back to local check if the lambda wasn't reachable.
+          OpenStruct.new(fast_check(opts[:host], opts))
+        end
+      end
+    end
+
+    # payload builds an API client Request object with the proper defaults and
+    # returns its JSON serialization.
+    def payload(opts = {})
+      toOpenAPIClient(opts).to_json
+    end
+  end
+end

metadata

@@ -0,0 +1,156 @@
+--- !ruby/object:Gem::Specification
+name: ssrfs-up-v2
+version: !ruby/object:Gem::Version
+  version: 0.21.2
+platform: ruby
+authors:
+- Jake Heath
+autorequire: 
+bindir: bin
+cert_chain: []
+date: 2022-08-15 00:00:00.000000000 Z
+dependencies:
+- !ruby/object:Gem::Dependency
+  name: aws-sdk-lambda
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1'
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '1'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1'
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '1'
+- !ruby/object:Gem::Dependency
+  name: ssrf_filter
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.0'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.0'
+- !ruby/object:Gem::Dependency
+  name: bundler
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: pry
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: rake
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: rspec
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '3.6'
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: 3.6.0
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '3.6'
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: 3.6.0
+description: A gem that simplifies connecting to out AWS Lambda used to proxy requests.
+  Make your third-party requests secure by default.
+email:
+- jheath@chanzuckerberg.com
+executables: []
+extensions: []
+extra_rdoc_files: []
+files:
+- lib/openapi_client/lib/openapi_client.rb
+- lib/openapi_client/lib/openapi_client/api/default_api.rb
+- lib/openapi_client/lib/openapi_client/api_client.rb
+- lib/openapi_client/lib/openapi_client/api_error.rb
+- lib/openapi_client/lib/openapi_client/configuration.rb
+- lib/openapi_client/lib/openapi_client/models/content_type.rb
+- lib/openapi_client/lib/openapi_client/models/method.rb
+- lib/openapi_client/lib/openapi_client/models/redirect.rb
+- lib/openapi_client/lib/openapi_client/models/request.rb
+- lib/openapi_client/lib/openapi_client/models/response.rb
+- lib/openapi_client/lib/openapi_client/models/response_error.rb
+- lib/openapi_client/lib/openapi_client/models/response_success.rb
+- lib/openapi_client/lib/openapi_client/version.rb
+- lib/ssrfs-up.rb
+- lib/ssrfs-up/version.rb
+homepage: https://github.com/chanzuckerberg/ssrf-proxy
+licenses:
+- MIT
+metadata:
+  homepage_uri: https://github.com/chanzuckerberg/ssrf-proxy
+post_install_message: 
+rdoc_options: []
+require_paths:
+- lib
+required_ruby_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: 2.3.0
+required_rubygems_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: '0'
+requirements: []
+rubygems_version: 3.1.6
+signing_key: 
+specification_version: 4
+summary: Proxy all requests to avoid SSRF.
+test_files: []