Package httpclient provides a SSRF-safe HTTP client implementation.
DefaultAuthorizer exposes the default authorizer instance.
var DefaultAuthorizer = &ssrfAuthorizer{}DefaultClient represents a safe HTTP client instance.
var DefaultClient = Safe()func NewClient
func NewClient(az Authorizer, opts ...Option) *http.Client
NewClient is used to create a safe http client with the given authorizer implementation.
func NewRequestFilter
func NewRequestFilter(az Authorizer, next http.RoundTripper) http.RoundTripper
NewRequestFilter set up a request interceptor to authorize the request before being sent by the client.
func NewResponseFilter
func NewResponseFilter(az Authorizer, next http.RoundTripper) http.RoundTripper
NewResponseFilter set up a response interceptor to authorize a response from a client.
func Safe
func Safe(opts ...Option) *http.Client
Safe returns a safe HTTP client with the default authorizer implementation.
c := Safe()
// Query AWS Metatadata
r, err := http.NewRequestWithContext(context.Background(), http.MethodGet, "http://169.254.169.254/latest/meta-data/", nil)
if err != nil {
panic(err)
}
resp, err := c.Do(r)
if resp != nil {
defer resp.Body.Close()
}Output:
Get "http://169.254.169.254/latest/meta-data/": response filter round trip failed: request filter round trip failed: dial tcp 169.254.169.254:80: tcp4/169.254.169.254:80 is not authorized by the client: "169.254.169.254" address is link local unicast
func UnSafe
func UnSafe(opts ...Option) *http.Client
UnSafe returns a HTTP client with default transport settings only.
// Create a fake http server
mockServer := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
http.Redirect(w, r, "", http.StatusFound)
}))
c := UnSafe(
// Reduce timeout
WithTimeout(3*time.Second),
// Disable keep alives
WithDisableKeepAlives(true),
// Default for unsafe
WithDisableRequestFilter(true),
// Default for unsafe
WithDisableResponseFilter(true),
// Enable follow redirect
WithFollowRedirect(true),
// Change max redirection count
WithMaxRedirectionCount(2),
)
// Query AWS Metatadata
r, err := http.NewRequestWithContext(context.Background(), http.MethodGet, mockServer.URL, nil)
if err != nil {
panic(err)
}
resp, err := c.Do(r)
if resp != nil {
defer resp.Body.Close()
}Output:
Get "/": stopped after 2 redirects
type Authorizer
type Authorizer interface { ... }
Authorizer describes socket level authorization gates.
type Option
type Option func(*options)
Option represents http client functional option pattern type.
func WithDisableKeepAlives(value bool) Option
WithDisableKeepAlives disables the keep alive feature.
func WithDisableRequestFilter(value bool) Option
WithDisableRequestFilter disables the request filtering feature.
func WithDisableResponseFilter(value bool) Option
WithDisableResponseFilter disables the response filtering feature.
func WithFollowRedirect
func WithFollowRedirect(value bool) Option
WithFollowRedirect disables the redirection follower feature.
func WithMaxRedirectionCount(value int) Option
WithMaxRedirectionCount sets the maximum redirection count before returning an error.
func WithTLSClientConfig
func WithTLSClientConfig(value *tls.Config) Option
WithTLSClientConfig sets the HTTP client TLS configuration to use for connection.
func WithTLSDialer
func WithTLSDialer(dialer func(context.Context, string, string) (net.Conn, error)) Option
WithTLSDialer sets the TLS Dialer function to use to establish the connection.
func WithTimeout
func WithTimeout(value time.Duration) Option
WithTimeout sets the client timeout.
- mock: Package mock is a generated GoMock package.