Add Rust version of AntiSSRF library with full CI and documentation#29
Open
finn79426 wants to merge 8 commits into
Open
Add Rust version of AntiSSRF library with full CI and documentation#29finn79426 wants to merge 8 commits into
finn79426 wants to merge 8 commits into
Conversation
Set up Rust project structure with cargo init. Add .gitignore for Rust build artifacts.
Define AntiSSrfError enum for validation, DNS, and I/O failures. Implement IpAddressCidr with parsing, containment checks, and IPv4/IPv6 support using the ipnetwork crate.
Add comprehensive CIDR constants for RFC 1918, 4193, 5735, 6598, and other special-purpose address ranges. Define well-known Microsoft and Azure domains for SSRF detection.
Implement core SSRF protection: - AntiSSRFPolicy: configurable allow/deny lists, IP restrictions, header injection prevention, HTTP/HTTPS agent integration. - URIValidator: DNS resolution and IP range validation with multi-threaded safety and cache support. - Network layer: IP address classification, range checking, DNS resolution with timeout and retry.
Add comprehensive test coverage: - Integration bypass tests for DNS rebinding, URL parsing edge cases, and protocol smuggling attempts. - SSRF payload tests covering IP encoding variants, redirect chains, IPv6 mappings, and cloud metadata endpoints.
Add shell scripts to regenerate domain constants and IP range constants from upstream data sources, mirroring the existing Node.js and .NET build pipeline.
Add dedicated test-rust workflow for cargo build, test, clippy, and format checking on ubuntu, macos, and windows. Update update-domains and update-ip-ranges to generate Rust source files alongside existing Node.js and .NET outputs. Extend codeql analysis and license header checks to cover Rust source files.
Add Rust API documentation covering AntiSSRFPolicy, URIValidator, error types, CIDR primitives, and data module reference. Update getting-started guide with Rust installation instructions and code examples. Update documentation index pages and README with Rust badge and cross-references.
Author
|
@microsoft-github-policy-service agree |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This PR ports the Microsoft AntiSSRF library to Rust, providing SSRF protection for the Rust ecosystem.
The implementation mirrors the existing .NET and Node.js libraries in API design and security guarantees.
Changes
Core library (
rust/):AntiSSRFPolicy— configurable allow/deny lists, IP restriction policies, header injection prevention, HTTP/HTTPS agent integrationURIValidator— DNS resolution and IP range validation with thread-safe cachingIpAddressCidr) with IPv4/IPv6 supportTesting (
rust/tests/):CI/CD (
.github/workflows/):test-rust.yml: cargo build, test, clippy, format on ubuntu/macos/windowsupdate-domains.ymlandupdate-ip-ranges.ymlto generate Rust source filescodeql.ymlandcheck-license-headers.ymlfor RustBuild system (
scripts/):build-domains-rust.shandbuild-ip-ranges-rust.shfor regenerating data constants from upstream sourcesDocumentation (
docs/):docs/rust-api/index.md— Rust API referencedocs/index.md,docs/getting-started.md,README.mdwith Rust installation and usage examplesVerification
cargo build— cleancargo test --lib— 106 passedcargo test --all-features— 181 passedcargo clippy— no issuescargo fmt --check— cleanStandalone Reference
The standalone Rust implementation is maintained at:
https://github.com/finn79426/AntiSSRF-rs
This port adapts the standalone crate into the monorepo structure, aligning with the existing .NET and Node.js build and release pipelines.