ssrfs-up 0.0.17 → 0.0.18

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: ed38c43272a326e05f87796045f0c9e79debdda9d9ff065afbb61411f647fe9c
-  data.tar.gz: f5512226009f01dcf116ef1aa8a9a82d286459b52c28287fe4f886e740e16613
+  metadata.gz: ac607c50569f257378191c69e03d27d136d4644d0cbe64f7f4ac194f91a90a65
+  data.tar.gz: b88301259811836561ea14d322b50eb4e2111fb187eaa4a97e53449f76ff33fe
 SHA512:
-  metadata.gz: 0afab3d60b6690dda4cc7bd5dbc74e0da1906a848532b71bc37b7bdcd56e7e1d91bdaf1d7d76309831c18570e13460cff3197bcf146c9d83516338fc0f443753
-  data.tar.gz: 7c2ff1b829f59d23b7012f054377c2b04591133dda7d4603dd11334b6ff769c40175ac80988546277f3641ad1ce3c0bc71611a9eefc9bc78f15c05ce15916e94
+  metadata.gz: 70692d0efeef0ba0ff33f2206024ac3c4daed6c4bf6862ac2ec77d0a42d84719022f8fa669c63c2350595d8b343757dd6278a6a93c1e604377ee9799e2298f5c
+  data.tar.gz: 41bdf36de6586091b5a08f1ee7ec4a49078a759bbdb5a2c1eeb353fbd88c31a2b885a878b8b1a09e2f9efccca7381f38fe176e0312fe5b5f5c09e32aaf4fa753

data/lib/openapi_client/lib/openapi_client.rb

@@ -6,7 +6,7 @@
 The version of the OpenAPI document: 1.0.0-oas3-oas3-oas3
 Contact: jheath@chanzuckerberg.com
 Generated by: https://openapi-generator.tech
-OpenAPI Generator version: 5.1.0
+OpenAPI Generator version: 5.2.0
 
 =end
 

data/lib/openapi_client/lib/openapi_client/api/default_api.rb

@@ -6,7 +6,7 @@
 The version of the OpenAPI document: 1.0.0-oas3-oas3-oas3
 Contact: jheath@chanzuckerberg.com
 Generated by: https://openapi-generator.tech
-OpenAPI Generator version: 5.1.0
+OpenAPI Generator version: 5.2.0
 
 =end
 

data/lib/openapi_client/lib/openapi_client/api_client.rb

@@ -6,7 +6,7 @@
 The version of the OpenAPI document: 1.0.0-oas3-oas3-oas3
 Contact: jheath@chanzuckerberg.com
 Generated by: https://openapi-generator.tech
-OpenAPI Generator version: 5.1.0
+OpenAPI Generator version: 5.2.0
 
 =end
 

data/lib/openapi_client/lib/openapi_client/api_error.rb

@@ -6,7 +6,7 @@
 The version of the OpenAPI document: 1.0.0-oas3-oas3-oas3
 Contact: jheath@chanzuckerberg.com
 Generated by: https://openapi-generator.tech
-OpenAPI Generator version: 5.1.0
+OpenAPI Generator version: 5.2.0
 
 =end
 

data/lib/openapi_client/lib/openapi_client/configuration.rb

@@ -6,7 +6,7 @@
 The version of the OpenAPI document: 1.0.0-oas3-oas3-oas3
 Contact: jheath@chanzuckerberg.com
 Generated by: https://openapi-generator.tech
-OpenAPI Generator version: 5.1.0
+OpenAPI Generator version: 5.2.0
 
 =end
 

data/lib/openapi_client/lib/openapi_client/models/content_type.rb

@@ -6,7 +6,7 @@
 The version of the OpenAPI document: 1.0.0-oas3-oas3-oas3
 Contact: jheath@chanzuckerberg.com
 Generated by: https://openapi-generator.tech
-OpenAPI Generator version: 5.1.0
+OpenAPI Generator version: 5.2.0
 
 =end
 

data/lib/openapi_client/lib/openapi_client/models/method.rb

@@ -6,7 +6,7 @@
 The version of the OpenAPI document: 1.0.0-oas3-oas3-oas3
 Contact: jheath@chanzuckerberg.com
 Generated by: https://openapi-generator.tech
-OpenAPI Generator version: 5.1.0
+OpenAPI Generator version: 5.2.0
 
 =end
 

data/lib/openapi_client/lib/openapi_client/models/redirect.rb

@@ -6,7 +6,7 @@
 The version of the OpenAPI document: 1.0.0-oas3-oas3-oas3
 Contact: jheath@chanzuckerberg.com
 Generated by: https://openapi-generator.tech
-OpenAPI Generator version: 5.1.0
+OpenAPI Generator version: 5.2.0
 
 =end
 

data/lib/openapi_client/lib/openapi_client/models/request.rb

@@ -6,7 +6,7 @@
 The version of the OpenAPI document: 1.0.0-oas3-oas3-oas3
 Contact: jheath@chanzuckerberg.com
 Generated by: https://openapi-generator.tech
-OpenAPI Generator version: 5.1.0
+OpenAPI Generator version: 5.2.0
 
 =end
 
@@ -160,7 +160,7 @@ module OpenapiClient
       if attributes.key?(:'path')
         self.path = attributes[:'path']
       else
-        self.path = '/'
+        self.path = ''
       end
     end
 

data/lib/openapi_client/lib/openapi_client/models/response.rb

@@ -6,7 +6,7 @@
 The version of the OpenAPI document: 1.0.0-oas3-oas3-oas3
 Contact: jheath@chanzuckerberg.com
 Generated by: https://openapi-generator.tech
-OpenAPI Generator version: 5.1.0
+OpenAPI Generator version: 5.2.0
 
 =end
 

data/lib/openapi_client/lib/openapi_client/models/response_error.rb

@@ -6,7 +6,7 @@
 The version of the OpenAPI document: 1.0.0-oas3-oas3-oas3
 Contact: jheath@chanzuckerberg.com
 Generated by: https://openapi-generator.tech
-OpenAPI Generator version: 5.1.0
+OpenAPI Generator version: 5.2.0
 
 =end
 

data/lib/openapi_client/lib/openapi_client/models/response_success.rb

@@ -6,7 +6,7 @@
 The version of the OpenAPI document: 1.0.0-oas3-oas3-oas3
 Contact: jheath@chanzuckerberg.com
 Generated by: https://openapi-generator.tech
-OpenAPI Generator version: 5.1.0
+OpenAPI Generator version: 5.2.0
 
 =end
 

data/lib/openapi_client/lib/openapi_client/version.rb

@@ -6,7 +6,7 @@
 The version of the OpenAPI document: 1.0.0-oas3-oas3-oas3
 Contact: jheath@chanzuckerberg.com
 Generated by: https://openapi-generator.tech
-OpenAPI Generator version: 5.1.0
+OpenAPI Generator version: 5.2.0
 
 =end
 

data/lib/ssrfs-up.rb

@@ -1,39 +1,42 @@
-require 'aws-sdk-lambda'
-require 'uri'
-require 'ssrfs-up/version'
-require 'ostruct'
+require "aws-sdk-lambda"
+require "uri"
+require "ssrfs-up/version"
+require "ostruct"
+require "ssrf_filter"
+require "cgi"
 
 # Common files
-require 'openapi_client/lib/openapi_client/api_client'
-require 'openapi_client/lib/openapi_client/api_error'
-require 'openapi_client/lib/openapi_client/version'
-require 'openapi_client/lib/openapi_client/configuration'
+require "openapi_client/lib/openapi_client/api_client"
+require "openapi_client/lib/openapi_client/api_error"
+require "openapi_client/lib/openapi_client/version"
+require "openapi_client/lib/openapi_client/configuration"
 
 # Models
-require 'openapi_client/lib/openapi_client/models/content_type'
-require 'openapi_client/lib/openapi_client/models/method'
-require 'openapi_client/lib/openapi_client/models/redirect'
-require 'openapi_client/lib/openapi_client/models/request'
-require 'openapi_client/lib/openapi_client/models/response'
-require 'openapi_client/lib/openapi_client/models/response_error'
-require 'openapi_client/lib/openapi_client/models/response_success'
+require "openapi_client/lib/openapi_client/models/content_type"
+require "openapi_client/lib/openapi_client/models/method"
+require "openapi_client/lib/openapi_client/models/redirect"
+require "openapi_client/lib/openapi_client/models/request"
+require "openapi_client/lib/openapi_client/models/response"
+require "openapi_client/lib/openapi_client/models/response_error"
+require "openapi_client/lib/openapi_client/models/response_success"
 
 # APIs
-require 'openapi_client/lib/openapi_client/api/default_api'
+require "openapi_client/lib/openapi_client/api/default_api"
 ##
 # This module contains the AWS lambda client and helper methods to easily
 # make requests to it. All methods take a hostname or URI and a hash or options
 # for the request.
 module SSRFsUp
   class Configuration
-    attr_accessor :func_name, :invoke_type, :log_type, :region, :test
+    attr_accessor :func_name, :invoke_type, :log_type, :region, :test, :proxy
 
     def initialize
-      @func_name = 'arn:aws:lambda:us-west-2:871040364337:function:sec-czi-sec-ssrfs-up:sec-czi-sec-ssrfs-up'
-      @invoke_type = 'RequestResponse'
-      @log_type = 'None'
-      @region = 'us-west-2'
+      @func_name = "arn:aws:lambda:us-west-2:871040364337:function:sec-czi-sec-ssrfs-up:sec-czi-sec-ssrfs-up"
+      @invoke_type = "RequestResponse"
+      @log_type = "None"
+      @region = "us-west-2"
       @test = false
+      @proxy = true
     end
   end
 
@@ -47,64 +50,64 @@ module SSRFsUp
     # https://github.com/chanzuckerberg/SSRFs-Up/blob/0e18fd30bee3f2b99ff4bc512cb967b83e8d9dcb/openapi.yaml#L97-L119
     def do(method, host, opts = {})
       case method.downcase
-      when 'get'
+      when "get"
         get(host, opts)
-      when 'put'
+      when "put"
         put(host, opts)
-      when 'post'
+      when "post"
         post(host, opts)
-      when 'patch'
+      when "patch"
         patch(host, opts)
-      when 'delete'
+      when "delete"
         delete(host, opts)
       end
     end
 
     # convenience method for making a GET request with do.
     def get(host, opts = {})
-      opts['method'] = 'GET'
+      opts[:method] = "GET"
       invoke(host, opts)
     end
 
     # convenience method for making a PUT request with do.
     def put(host, opts = {})
-      opts['method'] = 'PUT'
+      opts[:method] = "PUT"
       invoke(host, opts)
     end
 
     # convenience method for making a POST request with do.
     def post(host, opts = {})
-      opts['method'] = 'POST'
+      opts[:method] = "POST"
       invoke(host, opts)
     end
 
     # convenience method for making a patch request with do.
     def patch(host, opts = {})
-      opts['method'] = 'PATCH'
+      opts[:method] = "PATCH"
       invoke(host, opts)
     end
 
     # convenience method for making a DELETE request with do.
     def delete(host, opts = {})
-      opts['method'] = 'DELETE'
+      opts[:method] = "DELETE"
       invoke(host, opts)
     end
 
     # takes an ambiguous string or URI and sets the appropriate options based
     # on if it can be parsed as URI object. If it can't, then the string is assumed
     # to be a hostname only.
-    def parseAsUri(uri = '')
+    def parseAsUri(uri = "")
       uri = uri.to_s
-      opts = { 'host' => uri.split('/')[0].split('?')[0].split('#')[0] }
+      opts = { :host => uri.split("/")[0].split("?")[0].split("#")[0] }
       u = URI(uri)
 
       # if the scheme was present, we can parse most of the options from the URI.
       # otherwise, we can assume the URI was an actual hostname
       unless u.scheme.nil?
-        opts['secure'] = !(u.scheme == 'http')
-        opts['host'] = u.host
-        opts['path'] = u.path unless u.path == ''
-        opts['params'] = CGI.parse(u.query) unless u.query.nil?
+        opts[:secure] = !(u.scheme == "http")
+        opts[:host] = u.host
+        opts[:path] = u.path unless u.path == ""
+        opts[:params] = CGI.parse(u.query) unless u.query.nil?
       end
       opts
     end
@@ -130,25 +133,63 @@ module SSRFsUp
       @client ||= Aws::Lambda::Client.new(region: configuration.region)
     end
 
+    def fast_check(host, opts)
+      scheme = opts[:secure] ? "https://" : "http://"
+      path = opts[:path].nil? ? "" : opts[:path]
+      params = opts[:params].nil? ? "" : "?" + opts[:params]
+      url = scheme + host + path + params
+
+      filter_opts = { :max_redirects => opts[:redirect].nil? ? 3 : opts[:redirect] }
+      filter_opts[:params] = opts[:params] unless opts[:params].nil?
+      filter_opts[:body] = opts[:body] unless opts[:body].nil?
+      filter_opts[:headers] = opts[:headers] unless opts[:headers].nil?
+
+      begin
+        case opts[:method].downcase
+        when "get"
+          resp = SsrfFilter.get(url, filter_opts)
+        when "put"
+          resp = SsrfFilter.put(url, filter_opts)
+        when "post"
+          resp = SsrfFilter.post(url, filter_opts)
+        when "delete"
+          resp = SsrfFilter.delete(url, filter_opts)
+        when "patch"
+          return { status_code: 404, status_text: "Unsupported method", body: "Cannot use patch with fast path." }
+        end
+
+        { status_code: resp.code.to_i, status_text: resp.message, body: resp.body }
+      rescue SsrfFilter::PrivateIPAddress => exception
+        { status_code: 404, status_text: "Invalid destination", body: exception.to_s }
+      end
+    end
+
     # invokes the lambda with the provided arguments. It handles all lambda
     # related errors so developers should assume the data they receive back is straight
     # from the server they are speaking to.
     def invoke(host = nil, opts = {})
       opts = opts.merge(parseAsUri(host))
-      resp = client.invoke({
-                             function_name: configuration.func_name,
-                             invocation_type: configuration.invoke_type,
-                             log_type: configuration.log_type,
-                             payload: payload(opts)
-                           })
-
-      if resp['status_code'] == 200
-        OpenStruct.new(JSON.parse(resp&.payload&.string))
+      if (!opts[:proxy].nil? && !opts[:proxy]) || !configuration.proxy
+        OpenStruct.new(fast_check(host, opts))
       else
-        OpenStruct.new({ body: '', status_code: resp[status_code], status_text: '500 Error with proxy' })
+        begin
+          resp = client.invoke({
+            function_name: configuration.func_name,
+            invocation_type: configuration.invoke_type,
+            log_type: configuration.log_type,
+            payload: payload(opts),
+          })
+
+          if resp["status_code"] == 200
+            OpenStruct.new(JSON.parse(resp&.payload&.string))
+          else
+            OpenStruct.new({ body: "", status_code: resp[status_code], status_text: "500 Error with proxy" })
+          end
+        rescue StandardError => e
+          # fall back to local check if the lambda wasn't reachable.
+          OpenStruct.new(fast_check(host, opts))
+        end
       end
-    rescue StandardError => e
-      OpenStruct.new({ body: '', status_code: 500, status_text: e.to_s })
     end
 
     # payload builds an API client Request object with the proper defaults and
@@ -156,5 +197,5 @@ module SSRFsUp
     def payload(opts = {})
       toOpenAPIClient(opts).to_json
     end
-end
+  end
 end

data/lib/ssrfs-up/version.rb

@@ -1,3 +1,3 @@
 module SSRFsUp
-  VERSION = '0.0.17'.freeze
+  VERSION = "0.0.18".freeze
 end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: ssrfs-up
 version: !ruby/object:Gem::Version
-  version: 0.0.17
+  version: 0.0.18
 platform: ruby
 authors:
 - Jake Heath
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2021-04-19 00:00:00.000000000 Z
+date: 2021-07-28 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: aws-sdk-lambda
@@ -50,6 +50,20 @@ dependencies:
     - - ">="
       - !ruby/object:Gem::Version
         version: 1.0.1
+- !ruby/object:Gem::Dependency
+  name: ssrf_filter
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.0'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.0'
 - !ruby/object:Gem::Dependency
   name: bundler
   requirement: !ruby/object:Gem::Requirement