Faraday::RestrictIPAddresses

Prevent Faraday from hitting an arbitrary list of IP addresses, with helpers for RFC 1918 networks, RFC 6890 networks, and localhost.

System DNS facilities are used, so lookups should be cached instead of making another request. Addresses are invalid if a host has has at least one invalid DNS entry.

Usage

faraday = Faraday.new do |builder|
  builder.request :url_encoded
  builder.request :restrict_ip_addresses, deny_rfc6890: true,
                                          allow_localhost: true,
                                          deny: ['8.0.0.0/8',
                                                 '224.0.0.0/7'],
                                          allow: ['192.168.0.0/24']
  builder.adapter Faraday.default_adapter
end

faraday.get 'http://www.badgerbadgerbadger.com' # 150.0.0.150 or something
# => cool

faraday.get 'http://malicious-callback.com'      # 172.0.0.150, maybe a secret internal server? Maybe not?
# => raises Faraday::RestrictIPAddresses::AddressNotAllowed

Permit/denied order is:

  • All addresses are allowed, except
  • Addresses that are denied, except
  • Addresses that are allowed.

Author

Dat @bhuga with shoutouts to @mastahyeti's gist.

UNLICENSE

It's right there.