Module: WSDL::HTTPAdapter::RedirectGuard Private

Included in:: WSDL::HTTPAdapter

Defined in:: lib/wsdl/http_adapter/redirect_guard.rb

Overview

This module is part of a private API. You should avoid using this module if possible, as it may be removed or be changed in the future.

SSRF and redirect validation for WSDL::HTTPAdapter.

This module validates redirect targets to prevent Server-Side Request Forgery (SSRF) attacks. It blocks redirects to private/reserved IP addresses and prevents HTTPS-to-HTTP scheme downgrades.

Both IP address literals in URLs and DNS-resolved addresses are checked.

Constant Summary collapse

DNS_RESOLUTION_TIMEOUT =

This constant is part of a private API. You should avoid using this constant if possible, as it may be removed or be changed in the future.

Timeout in seconds for DNS resolution during redirect validation. Prevents indefinite hangs when resolving redirect target hostnames.

PRIVATE_IP_RANGES =

This constant is part of a private API. You should avoid using this constant if possible, as it may be removed or be changed in the future.

Private/reserved IPv4 and IPv6 ranges that must not be redirect targets.

[
  IPAddr.new('0.0.0.0/8'),       # Current network (RFC 1122)
  IPAddr.new('10.0.0.0/8'),      # Private (RFC 1918)
  IPAddr.new('100.64.0.0/10'),   # Shared address space (RFC 6598)
  IPAddr.new('127.0.0.0/8'),     # Loopback (RFC 1122)
  IPAddr.new('169.254.0.0/16'),  # Link-local (RFC 3927)
  IPAddr.new('172.16.0.0/12'),   # Private (RFC 1918)
  IPAddr.new('192.168.0.0/16'),  # Private (RFC 1918)
  IPAddr.new('::1/128'),         # IPv6 loopback
  IPAddr.new('fc00::/7'),        # IPv6 unique local (RFC 4193)
  IPAddr.new('fe80::/10')        # IPv6 link-local
].freeze