ssrfs-up 0.0.14 → 0.0.18

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 79a89488772f10f51bacee766112aa17c601361a98ec04ef3fd881efbf416ba3
-  data.tar.gz: 0c35e3c62444e4b9331146c77ef6ce282ceeafcf9145e413b7dbcdf8365ae199
+  metadata.gz: ac607c50569f257378191c69e03d27d136d4644d0cbe64f7f4ac194f91a90a65
+  data.tar.gz: b88301259811836561ea14d322b50eb4e2111fb187eaa4a97e53449f76ff33fe
 SHA512:
-  metadata.gz: '081d9147f84e5120a963d1f022347d5d6ab4c074420aad40e05e2be5725ff488a1df364fbb10c6e1c6374861cd96543edbcc0ce4993b88bb10b6d0bbe252fbf7'
-  data.tar.gz: d663b3859ca75bf3a762ca78ce85f3c286d17aa24c99cb6aa410d969996261addb3f411dbda78e22e25469c7f09eca9879b928fd71c7de3265598983e21380f6
+  metadata.gz: 70692d0efeef0ba0ff33f2206024ac3c4daed6c4bf6862ac2ec77d0a42d84719022f8fa669c63c2350595d8b343757dd6278a6a93c1e604377ee9799e2298f5c
+  data.tar.gz: 41bdf36de6586091b5a08f1ee7ec4a49078a759bbdb5a2c1eeb353fbd88c31a2b885a878b8b1a09e2f9efccca7381f38fe176e0312fe5b5f5c09e32aaf4fa753

data/lib/openapi_client/lib/openapi_client.rb

@@ -6,7 +6,7 @@
 The version of the OpenAPI document: 1.0.0-oas3-oas3-oas3
 Contact: jheath@chanzuckerberg.com
 Generated by: https://openapi-generator.tech
-OpenAPI Generator version: 5.1.0
+OpenAPI Generator version: 5.2.0
 
 =end
 

data/lib/openapi_client/lib/openapi_client/api/default_api.rb

@@ -6,7 +6,7 @@
 The version of the OpenAPI document: 1.0.0-oas3-oas3-oas3
 Contact: jheath@chanzuckerberg.com
 Generated by: https://openapi-generator.tech
-OpenAPI Generator version: 5.1.0
+OpenAPI Generator version: 5.2.0
 
 =end
 

data/lib/openapi_client/lib/openapi_client/api_client.rb

@@ -6,7 +6,7 @@
 The version of the OpenAPI document: 1.0.0-oas3-oas3-oas3
 Contact: jheath@chanzuckerberg.com
 Generated by: https://openapi-generator.tech
-OpenAPI Generator version: 5.1.0
+OpenAPI Generator version: 5.2.0
 
 =end
 

data/lib/openapi_client/lib/openapi_client/api_error.rb

@@ -6,7 +6,7 @@
 The version of the OpenAPI document: 1.0.0-oas3-oas3-oas3
 Contact: jheath@chanzuckerberg.com
 Generated by: https://openapi-generator.tech
-OpenAPI Generator version: 5.1.0
+OpenAPI Generator version: 5.2.0
 
 =end
 

data/lib/openapi_client/lib/openapi_client/configuration.rb

@@ -6,7 +6,7 @@
 The version of the OpenAPI document: 1.0.0-oas3-oas3-oas3
 Contact: jheath@chanzuckerberg.com
 Generated by: https://openapi-generator.tech
-OpenAPI Generator version: 5.1.0
+OpenAPI Generator version: 5.2.0
 
 =end
 

data/lib/openapi_client/lib/openapi_client/models/content_type.rb

@@ -6,7 +6,7 @@
 The version of the OpenAPI document: 1.0.0-oas3-oas3-oas3
 Contact: jheath@chanzuckerberg.com
 Generated by: https://openapi-generator.tech
-OpenAPI Generator version: 5.1.0
+OpenAPI Generator version: 5.2.0
 
 =end
 

data/lib/openapi_client/lib/openapi_client/models/method.rb

@@ -6,7 +6,7 @@
 The version of the OpenAPI document: 1.0.0-oas3-oas3-oas3
 Contact: jheath@chanzuckerberg.com
 Generated by: https://openapi-generator.tech
-OpenAPI Generator version: 5.1.0
+OpenAPI Generator version: 5.2.0
 
 =end
 

data/lib/openapi_client/lib/openapi_client/models/redirect.rb

@@ -6,7 +6,7 @@
 The version of the OpenAPI document: 1.0.0-oas3-oas3-oas3
 Contact: jheath@chanzuckerberg.com
 Generated by: https://openapi-generator.tech
-OpenAPI Generator version: 5.1.0
+OpenAPI Generator version: 5.2.0
 
 =end
 

data/lib/openapi_client/lib/openapi_client/models/request.rb

@@ -6,7 +6,7 @@
 The version of the OpenAPI document: 1.0.0-oas3-oas3-oas3
 Contact: jheath@chanzuckerberg.com
 Generated by: https://openapi-generator.tech
-OpenAPI Generator version: 5.1.0
+OpenAPI Generator version: 5.2.0
 
 =end
 
@@ -160,7 +160,7 @@ module OpenapiClient
       if attributes.key?(:'path')
         self.path = attributes[:'path']
       else
-        self.path = '/'
+        self.path = ''
       end
     end
 

data/lib/openapi_client/lib/openapi_client/models/response.rb

@@ -6,7 +6,7 @@
 The version of the OpenAPI document: 1.0.0-oas3-oas3-oas3
 Contact: jheath@chanzuckerberg.com
 Generated by: https://openapi-generator.tech
-OpenAPI Generator version: 5.1.0
+OpenAPI Generator version: 5.2.0
 
 =end
 

data/lib/openapi_client/lib/openapi_client/models/response_error.rb

@@ -6,7 +6,7 @@
 The version of the OpenAPI document: 1.0.0-oas3-oas3-oas3
 Contact: jheath@chanzuckerberg.com
 Generated by: https://openapi-generator.tech
-OpenAPI Generator version: 5.1.0
+OpenAPI Generator version: 5.2.0
 
 =end
 

data/lib/openapi_client/lib/openapi_client/models/response_success.rb

@@ -6,7 +6,7 @@
 The version of the OpenAPI document: 1.0.0-oas3-oas3-oas3
 Contact: jheath@chanzuckerberg.com
 Generated by: https://openapi-generator.tech
-OpenAPI Generator version: 5.1.0
+OpenAPI Generator version: 5.2.0
 
 =end
 

data/lib/openapi_client/lib/openapi_client/version.rb

@@ -6,7 +6,7 @@
 The version of the OpenAPI document: 1.0.0-oas3-oas3-oas3
 Contact: jheath@chanzuckerberg.com
 Generated by: https://openapi-generator.tech
-OpenAPI Generator version: 5.1.0
+OpenAPI Generator version: 5.2.0
 
 =end
 

data/lib/ssrfs-up.rb

@@ -1,52 +1,42 @@
-require 'aws-sdk-lambda'
-require 'uri'
-require 'ssrfs-up/version'
-require 'ostruct'
-require 'honeycomb-beeline'
+require "aws-sdk-lambda"
+require "uri"
+require "ssrfs-up/version"
+require "ostruct"
+require "ssrf_filter"
+require "cgi"
 
 # Common files
-require 'openapi_client/lib/openapi_client/api_client'
-require 'openapi_client/lib/openapi_client/api_error'
-require 'openapi_client/lib/openapi_client/version'
-require 'openapi_client/lib/openapi_client/configuration'
+require "openapi_client/lib/openapi_client/api_client"
+require "openapi_client/lib/openapi_client/api_error"
+require "openapi_client/lib/openapi_client/version"
+require "openapi_client/lib/openapi_client/configuration"
 
 # Models
-require 'openapi_client/lib/openapi_client/models/content_type'
-require 'openapi_client/lib/openapi_client/models/method'
-require 'openapi_client/lib/openapi_client/models/redirect'
-require 'openapi_client/lib/openapi_client/models/request'
-require 'openapi_client/lib/openapi_client/models/response'
-require 'openapi_client/lib/openapi_client/models/response_error'
-require 'openapi_client/lib/openapi_client/models/response_success'
+require "openapi_client/lib/openapi_client/models/content_type"
+require "openapi_client/lib/openapi_client/models/method"
+require "openapi_client/lib/openapi_client/models/redirect"
+require "openapi_client/lib/openapi_client/models/request"
+require "openapi_client/lib/openapi_client/models/response"
+require "openapi_client/lib/openapi_client/models/response_error"
+require "openapi_client/lib/openapi_client/models/response_success"
 
 # APIs
-require 'openapi_client/lib/openapi_client/api/default_api'
+require "openapi_client/lib/openapi_client/api/default_api"
 ##
 # This module contains the AWS lambda client and helper methods to easily
 # make requests to it. All methods take a hostname or URI and a hash or options
 # for the request.
 module SSRFsUp
-  Honeycomb.configure do |config|
-    config.write_key = '0dc36d095b2c3aefb237dd04e13f580c'
-    config.dataset = 'ssrfs-up'
-    config.service_name = 'ssrfs-up-ruby-client'
-    config.presend_hook do |fields|
-      fields['aws.session_token'] = '[REDACTED]' if fields.has_key? 'aws.session_token'
-      fields['aws.access_key_id'] = '[REDACTED]' if fields.has_key? 'aws.access_key_id'
-      fields['aws.params.function_name'] = '[REDACTED]' if fields.has_key? 'aws.params.function_name'
-      fields['aws.params.payload'] = '[REDACTED]' if fields.has_key? 'aws.params.payload'
-    end
-  end
-
   class Configuration
-    attr_accessor :func_name, :invoke_type, :log_type, :region, :test
+    attr_accessor :func_name, :invoke_type, :log_type, :region, :test, :proxy
 
     def initialize
-      @func_name = 'arn:aws:lambda:us-west-2:871040364337:function:sec-czi-sec-ssrfs-up'
-      @invoke_type = 'RequestResponse'
-      @log_type = 'None'
-      @region = 'us-west-2'
+      @func_name = "arn:aws:lambda:us-west-2:871040364337:function:sec-czi-sec-ssrfs-up:sec-czi-sec-ssrfs-up"
+      @invoke_type = "RequestResponse"
+      @log_type = "None"
+      @region = "us-west-2"
       @test = false
+      @proxy = true
     end
   end
 
@@ -60,64 +50,64 @@ module SSRFsUp
     # https://github.com/chanzuckerberg/SSRFs-Up/blob/0e18fd30bee3f2b99ff4bc512cb967b83e8d9dcb/openapi.yaml#L97-L119
     def do(method, host, opts = {})
       case method.downcase
-      when 'get'
+      when "get"
         get(host, opts)
-      when 'put'
+      when "put"
         put(host, opts)
-      when 'post'
+      when "post"
         post(host, opts)
-      when 'patch'
+      when "patch"
         patch(host, opts)
-      when 'delete'
+      when "delete"
         delete(host, opts)
       end
     end
 
     # convenience method for making a GET request with do.
     def get(host, opts = {})
-      opts['method'] = 'GET'
+      opts[:method] = "GET"
       invoke(host, opts)
     end
 
     # convenience method for making a PUT request with do.
     def put(host, opts = {})
-      opts['method'] = 'PUT'
+      opts[:method] = "PUT"
       invoke(host, opts)
     end
 
     # convenience method for making a POST request with do.
     def post(host, opts = {})
-      opts['method'] = 'POST'
+      opts[:method] = "POST"
       invoke(host, opts)
     end
 
     # convenience method for making a patch request with do.
     def patch(host, opts = {})
-      opts['method'] = 'PATCH'
+      opts[:method] = "PATCH"
       invoke(host, opts)
     end
 
     # convenience method for making a DELETE request with do.
     def delete(host, opts = {})
-      opts['method'] = 'DELETE'
+      opts[:method] = "DELETE"
       invoke(host, opts)
     end
 
     # takes an ambiguous string or URI and sets the appropriate options based
     # on if it can be parsed as URI object. If it can't, then the string is assumed
     # to be a hostname only.
-    def parseAsUri(uri = '')
+    def parseAsUri(uri = "")
       uri = uri.to_s
-      opts = { 'host' => uri.split('/')[0].split('?')[0].split('#')[0] }
+      opts = { :host => uri.split("/")[0].split("?")[0].split("#")[0] }
       u = URI(uri)
 
       # if the scheme was present, we can parse most of the options from the URI.
       # otherwise, we can assume the URI was an actual hostname
       unless u.scheme.nil?
-        opts['secure'] = !(u.scheme == 'http')
-        opts['host'] = u.host
-        opts['path'] = u.path unless u.path == ''
-        opts['params'] = CGI.parse(u.query) unless u.query.nil?
+        opts[:secure] = !(u.scheme == "http")
+        opts[:host] = u.host
+        opts[:path] = u.path unless u.path == ""
+        opts[:params] = CGI.parse(u.query) unless u.query.nil?
       end
       opts
     end
@@ -143,37 +133,63 @@ module SSRFsUp
       @client ||= Aws::Lambda::Client.new(region: configuration.region)
     end
 
+    def fast_check(host, opts)
+      scheme = opts[:secure] ? "https://" : "http://"
+      path = opts[:path].nil? ? "" : opts[:path]
+      params = opts[:params].nil? ? "" : "?" + opts[:params]
+      url = scheme + host + path + params
+
+      filter_opts = { :max_redirects => opts[:redirect].nil? ? 3 : opts[:redirect] }
+      filter_opts[:params] = opts[:params] unless opts[:params].nil?
+      filter_opts[:body] = opts[:body] unless opts[:body].nil?
+      filter_opts[:headers] = opts[:headers] unless opts[:headers].nil?
+
+      begin
+        case opts[:method].downcase
+        when "get"
+          resp = SsrfFilter.get(url, filter_opts)
+        when "put"
+          resp = SsrfFilter.put(url, filter_opts)
+        when "post"
+          resp = SsrfFilter.post(url, filter_opts)
+        when "delete"
+          resp = SsrfFilter.delete(url, filter_opts)
+        when "patch"
+          return { status_code: 404, status_text: "Unsupported method", body: "Cannot use patch with fast path." }
+        end
+
+        { status_code: resp.code.to_i, status_text: resp.message, body: resp.body }
+      rescue SsrfFilter::PrivateIPAddress => exception
+        { status_code: 404, status_text: "Invalid destination", body: exception.to_s }
+      end
+    end
+
     # invokes the lambda with the provided arguments. It handles all lambda
     # related errors so developers should assume the data they receive back is straight
     # from the server they are speaking to.
     def invoke(host = nil, opts = {})
-      resp = if !configuration.test
-               Honeycomb.start_span(name: 'invoke') do |span|
-                 span.add_field('host', host)
-                 opts = opts.merge(parseAsUri(host))
-                 opts = opts.merge({ 'headers' => { 'X-Honeycomb-Trace' => span.to_trace_header } })
-                 client.invoke({
-                                 function_name: configuration.func_name,
-                                 invocation_type: configuration.invoke_type,
-                                 log_type: configuration.log_type,
-                                 payload: payload(opts)
-                               })
-               end
-             else
-               client.invoke({
-                               function_name: configuration.func_name,
-                               invocation_type: configuration.invoke_type,
-                               log_type: configuration.log_type,
-                               payload: payload(opts)
-                             })
-             end
-      if resp['status_code'] == 200
-        OpenStruct.new(JSON.parse(resp&.payload&.string))
+      opts = opts.merge(parseAsUri(host))
+      if (!opts[:proxy].nil? && !opts[:proxy]) || !configuration.proxy
+        OpenStruct.new(fast_check(host, opts))
       else
-        OpenStruct.new({ body: '', status_code: resp[status_code], status_text: '500 Error with proxy' })
+        begin
+          resp = client.invoke({
+            function_name: configuration.func_name,
+            invocation_type: configuration.invoke_type,
+            log_type: configuration.log_type,
+            payload: payload(opts),
+          })
+
+          if resp["status_code"] == 200
+            OpenStruct.new(JSON.parse(resp&.payload&.string))
+          else
+            OpenStruct.new({ body: "", status_code: resp[status_code], status_text: "500 Error with proxy" })
+          end
+        rescue StandardError => e
+          # fall back to local check if the lambda wasn't reachable.
+          OpenStruct.new(fast_check(host, opts))
+        end
       end
-    rescue StandardError => e
-      OpenStruct.new({ body: '', status_code: 500, status_text: e.to_s })
     end
 
     # payload builds an API client Request object with the proper defaults and
@@ -181,5 +197,5 @@ module SSRFsUp
     def payload(opts = {})
       toOpenAPIClient(opts).to_json
     end
-end
+  end
 end

data/lib/ssrfs-up/version.rb

@@ -1,3 +1,3 @@
 module SSRFsUp
-  VERSION = '0.0.14'.freeze
+  VERSION = "0.0.18".freeze
 end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: ssrfs-up
 version: !ruby/object:Gem::Version
-  version: 0.0.14
+  version: 0.0.18
 platform: ruby
 authors:
 - Jake Heath
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2021-04-02 00:00:00.000000000 Z
+date: 2021-07-28 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: aws-sdk-lambda
@@ -30,26 +30,6 @@ dependencies:
     - - ">="
       - !ruby/object:Gem::Version
         version: '1'
-- !ruby/object:Gem::Dependency
-  name: libhoney
-  requirement: !ruby/object:Gem::Requirement
-    requirements:
-    - - "~>"
-      - !ruby/object:Gem::Version
-        version: '1.18'
-    - - ">="
-      - !ruby/object:Gem::Version
-        version: 1.18.0
-  type: :runtime
-  prerelease: false
-  version_requirements: !ruby/object:Gem::Requirement
-    requirements:
-    - - "~>"
-      - !ruby/object:Gem::Version
-        version: '1.18'
-    - - ">="
-      - !ruby/object:Gem::Version
-        version: 1.18.0
 - !ruby/object:Gem::Dependency
   name: typhoeus
   requirement: !ruby/object:Gem::Requirement
@@ -71,25 +51,19 @@ dependencies:
       - !ruby/object:Gem::Version
         version: 1.0.1
 - !ruby/object:Gem::Dependency
-  name: honeycomb-beeline
+  name: ssrf_filter
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '2.4'
-    - - ">="
-      - !ruby/object:Gem::Version
-        version: 2.4.0
+        version: '1.0'
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '2.4'
-    - - ">="
-      - !ruby/object:Gem::Version
-        version: 2.4.0
+        version: '1.0'
 - !ruby/object:Gem::Dependency
   name: bundler
   requirement: !ruby/object:Gem::Requirement
@@ -195,7 +169,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubygems_version: 3.1.4
+rubygems_version: 3.1.6
 signing_key: 
 specification_version: 4
 summary: Proxy all requests to avoid SSRF.