https://github.com/arkadiyt/ssrf_filter

A ruby gem for defending against Server Side Request Forgery (SSRF) attacks
https://github.com/arkadiyt/ssrf_filter

Keywords

gem ruby server-side-request-forgery ssrf

Keywords from Contributors

activerecord crash-reporting database-cleaner feature-flag

Last synced: about 21 hours ago
JSON representation

Repository metadata

A ruby gem for defending against Server Side Request Forgery (SSRF) attacks

Host: GitHub
URL: https://github.com/arkadiyt/ssrf_filter
Owner: arkadiyt
License: mit
Created: 2017-07-23T22:22:57.000Z (over 8 years ago)
Default Branch: main
Last Pushed: 2025-05-10T18:16:08.000Z (10 months ago)
Last Synced: 2026-02-22T19:49:04.404Z (9 days ago)
Topics: gem, ruby, server-side-request-forgery, ssrf
Language: Ruby
Homepage: https://rubygems.org/gems/ssrf_filter
Size: 82 KB
Stars: 88
Watchers: 3
Forks: 30
Open Issues: 2
Releases: 14
Metadata Files:
- Readme: README.md
- Changelog: CHANGELOG.md
- Contributing: CONTRIBUTING.md
- License: LICENSE.md
- Code of conduct: CODE_OF_CONDUCT.md

ssrf_filter

What's it for

ssrf_filter makes it easy to defend against server side request forgery (SSRF) attacks. SSRF vulnerabilities happen when you accept URLs as user input and fetch them on your server (for instance, when a user enters a link into a Twitter/Facebook status update and a content preview is generated).

Users can pass in URLs or IPs such that your server will make requests to the internal network. For example if you're hosted on AWS they can request the instance metadata endpoint http://169.254.169.254/latest/meta-data/ and get your IAM credentials.

Attempts to guard against this are often implemented incorrectly, by blocking all ip addresses, not handling IPv6 or http redirects correctly, or having TOCTTOU bugs and other issues.

This gem provides a safe and easy way to fetch content from user-submitted urls. It:

handles URIs/IPv4/IPv6, redirects, DNS, etc, correctly
has 0 runtime dependencies
has a comprehensive test suite (100% code coverage)
is tested against ruby 2.7, 3.0, 3.1, 3.2, 3.3, and ruby-head

Quick start

Add the gem to your Gemfile:

gem 'ssrf_filter', '~> 1.3.0'

In your code:

require 'ssrf_filter'
response = SsrfFilter.get(params[:url]) # throws an exception for unsafe fetches
response.code
=> "200"
response.body
=> "<!doctype html>\n<html>\n<head>\n..."

API reference

SsrfFilter.get/.put/.post/.delete/.head/.patch(url, options = {}, &block)

Fetches the requested url using a get/put/post/delete/head/patch request, respectively.

Params:

url — the url to fetch.
options — options hash (described below).
block — a block that will receive the HTTPRequest object before it's sent, if you need to do any pre-processing on it (see examples below).

Options hash:

:scheme_whitelist — an array of schemes to allow. Defaults to %w[http https].
:resolver — a proc that receives a hostname string and returns an array of IPAddr objects. Defaults to resolving with Ruby's Resolv. See examples below for a custom resolver.
:max_redirects — Maximum number of redirects to follow. Defaults to 10.
:params — Hash of params to send with the request.
:headers — Hash of headers to send with the request.
:body — Body to send with the request.
:http_options – Options to pass to Net::HTTP.start. Use this to set custom timeouts or SSL options.
:request_proc - a proc that receives the request object, for custom modifications before sending the request.
:allow_unfollowed_redirects - If true and your request hits the maximum number of redirects, the last response will be returned instead of raising an error. Defaults to false.

Returns:

An HTTPResponse object if the url was fetched safely, or throws an exception if it was unsafe. All exceptions inherit from SsrfFilter::Error.

Examples:

# GET www.example.com
SsrfFilter.get('https://www.example.com')

# Pass params - these are equivalent
SsrfFilter.get('https://www.example.com?param=value')
SsrfFilter.get('https://www.example.com', params: {'param' => 'value'})

# POST, send custom header, and don't follow redirects
begin
  SsrfFilter.post('https://www.example.com', max_redirects: 0,
    headers: {'content-type' => 'application/json'})
rescue SsrfFilter::Error => e
  # Got an unsafe url
end

# Custom DNS resolution and request processing
resolver = proc do |hostname|
  [IPAddr.new('2001:500:8f::53')] # Static resolver
end
# Do some extra processing on the request
request_proc = proc do |request|
  request['content-type'] = 'application/json'
  request.basic_auth('username', 'password')
end
SsrfFilter.get('https://www.example.com', resolver: resolver, request_proc: request_proc)

# Stream response
SsrfFilter.get('https://www.example.com') do |response|
  response.read_body do |chunk|
    puts chunk
  end
end

Changelog

Please see CHANGELOG.md. This project follows semantic versioning.

Contributing

Please see CONTRIBUTING.md.

Owner metadata

Name: Arkadiy Tetelman
Login: arkadiyt
Email:
Kind: user
Description: All things security.
Website: https://arkadiyt.com
Location: San Francisco, CA
Twitter: arkadiyt
Company: Chime (https://chime.com)
Icon url: https://avatars.githubusercontent.com/u/2279289?u=0eae5382d4ceb5206991db252e3d6299a6f42de6&v=4
Repositories: 29
Last ynced at: 2023-04-10T00:16:33.204Z
Profile URL: https://github.com/arkadiyt

GitHub Events

Total

Release event: 2
Delete event: 6
Pull request event: 14
Fork event: 3
Issues event: 6
Watch event: 10
Issue comment event: 7
Push event: 25
Pull request review event: 1
Create event: 8

Last Year

Release event: 1
Delete event: 2
Pull request event: 4
Fork event: 1
Issues event: 4
Watch event: 3
Issue comment event: 3
Push event: 2
Create event: 3

Committers metadata

Last synced: 1 day ago

Total Commits: 63
Total Committers: 11
Avg Commits per committer: 5.727
Development Distribution Score (DDS): 0.317

Commits in past year: 2
Committers in past year: 1
Avg Commits per committer in past year: 2.0
Development Distribution Score (DDS) in past year: 0.0

Name	Email	Commits
Arkadiy Tetelman	a**t@g**m	43
Arkadiy Tetelman	a**n@a**m	8
Max Burkhardt	m**t@a**m	3
Mitsuhiro Shibuya	m**a@g**m	2
mark-young-atg	1****g	1
jacobrheath	7****h	1
Vadim Masakovski	v**i@g**m	1
Peter Goldstein	p**n@g**m	1
Jon Evans	j**b@g**m	1
Ian Lesperance	i**n@e**m	1
Benjamin Groessing	b**n@b**m	1

Committer domains:

Issue and Pull Request metadata

Last synced: 7 days ago

Total issues: 19
Total pull requests: 66
Average time to close issues: 3 months
Average time to close pull requests: about 2 months
Total issue authors: 19
Total pull request authors: 14
Average comments per issue: 3.05
Average comments per pull request: 1.8
Merged pull request: 49
Bot issues: 0
Bot pull requests: 0

Past year issues: 4
Past year pull requests: 4
Past year average time to close issues: about 1 month
Past year average time to close pull requests: 1 minute
Past year issue authors: 4
Past year pull request authors: 1
Past year average comments per issue: 1.0
Past year average comments per pull request: 0.0
Past year merged pull request: 4
Past year bot issues: 0
Past year bot pull requests: 0

More stats: https://issues.ecosyste.ms/repositories/lookup?url=https://github.com/arkadiyt/ssrf_filter

Top Issue Authors

marcosmighty (1)
pamplo (1)
jakeyheath (1)
lorrocha (1)
mshibuya (1)
chrisballen (1)
collimarco (1)
joao-esteves (1)
fsateler (1)
brian-kephart (1)
sandstrom (1)
langalex (1)
evg2108 (1)
DmytroKondratiuk (1)
rajyan (1)

Top Pull Request Authors

arkadiyt (47)
mshibuya (4)
mark-young-atg (2)
maxburkhardt (2)
groe (2)
jakeyheath (1)
artfuldodger (1)
petergoldstein (1)
neilang (1)
vaski (1)
mrhaddad (1)
anero (1)
fivetentaylor (1)
elliterate (1)

Top Issue Labels

Top Pull Request Labels

enhancement (1)

Package metadata

Total packages: 9
Total downloads:
- rubygems: 171,807,725 total
Total docker downloads: 922,359,698
Total dependent packages: 6 (may contain duplicates)
Total dependent repositories: 5,187 (may contain duplicates)
Total versions: 35
Total maintainers: 1

gem.coop: ssrf_filter

A gem that makes it easy to prevent server side request forgery (SSRF) attacks

Homepage: https://github.com/arkadiyt/ssrf_filter
Documentation: http://www.rubydoc.info/gems/ssrf_filter/
Licenses: MIT
Latest release: 1.3.0 (published 10 months ago)
Last Synced: 2026-02-28T16:01:10.144Z (3 days ago)
Versions: 14
Dependent Packages: 0
Dependent Repositories: 0
Downloads: 85,903,012 Total
Docker Downloads: 461,179,849
Rankings:
- Dependent repos count: 0.0%
- Dependent packages count: 0.0%
- Average: 0.144%
- Docker downloads count: 0.238%
- Downloads: 0.337%
Maintainers (1)
- arkadiyt

debian-13: ruby-ssrf-filter

Homepage: https://github.com/arkadiyt/ssrf_filter
Documentation: https://packages.debian.org/trixie/ruby-ssrf-filter
Licenses: mit
Latest release: 1.0.7-2 (published 19 days ago)
Last Synced: 2026-02-13T13:20:05.360Z (18 days ago)
Versions: 1
Dependent Packages: 0
Dependent Repositories: 0
Rankings:
- Dependent repos count: 0.0%
- Dependent packages count: 0.0%
- Average: 0.701%
- Forks count: 1.206%
- Stargazers count: 1.597%

rubygems.org: ssrf_filter