safe_requests feature request
#13
Comments
|
Hi @tjs-intel thanks so much for opening this issue! I agree that ultimately upstreaming this to You've identified an interesting gap here and I think it's worth working through a potential solution. I'm going to ask @matt- to chime in since I think he has a few ideas about how we could accomplish what you're suggesting. One such option might be to hook into a lower-level layer of the |
|
I tried a quick POC of this concept yesterday by adding an IP address check here in |
|
If we just swap out the host name with the resolved IP I think we may run into some issues with servers that check hostname header, or parse raw URL for some reason. However I think we could hook into this by making the safe methods use a custom "Transport Adapter" I will have to dig more, but it looks like we could grab access to the "connection" before the request is made which would give us the resolved IP |
|
A relevant post on SO, showing how to resolve a hostname before making the connection: https://stackoverflow.com/a/22614367 |
The current implementation of
safe_requestsparses the hostname from the request URL and checks it against a fairly limited set of IP addresses (namely198.168.1.1and the AWS instance metadata URL). This should be fairly easy to bypass by registering a domain name (or finding one that already exists) either with an A record that resolves to one of these restricted addresses, or by hosting a web server that returns a redirect to the restricted address.I propose the following procedure for sandboxing requests.
socket.gethostbyname()requestsThere are many edge cases to handle here, ex. tls hostname verification, proxies, redirects, and it may ultimately be easiest to add functionality to
requestsand/orurllibto support IP address allow/block lists.The text was updated successfully, but these errors were encountered: