paranoid-request
An SSRF-preventing wrapper around Node's request module, as well as the
lower-level http and https modules.
Overview
Server Side Request Forgery (SSRF) is a vulnerability that appears when an attacker has the ability to create requests from a vulnerable server.
This can allow the attacker to make requests to localhost, thereby exposing sensitive internal services that are behind the firewall.
This library prevents this category of attacks by preventing the requests from firing.
For more info on SSRF vulnerabilities, check out this article.
Usage
Exactly the same as https://www.npmjs.com/package/request, with the addition
that we will emit an 'error' event with an UnacceptableAddressError when we
can't find a suitable address.
var paranoid = ; // These two will be blockedparanoid; paranoid; // but this is fineparanoid;If you want a custom set of validation rules, you can also roll your
own version of paranoid-request:
var paranoid = ; // example.com's IPvar exampleComIp = "93.184.216.34";var exampleComCIDR = exampleComIp + "/32";var exampleComIpURL = "http://" + exampleComIp + "/"; // Make a wrapper that blocks example.com's IP by defaultvar moreParanoid = paranoid; // Now requests to example.com's IP should be blockedmoreParanoid;You can also use paranoid-request's paranoid wrappers for the stdlib's http
and https as well via require("paranoid-request").httpModule and
require("paranoid-request").httpsModule, respectively. However, I don't recommend it.
Testing
npm installnpm test
Installation
npm install paranoid-request
Development
Develop like any other node module. Please write tests for any new code you add!