Prevent Faraday from hitting an arbitrary list of IP addresses, with helpers for RFC 1918 networks, RFC 6890 networks, and localhost.
System DNS facilities are used, so lookups should be cached instead of making another request. Addresses are invalid if a host has has at least one invalid DNS entry.
faraday = .new do |builder| builder.request :url_encoded builder.request :restrict_ip_addresses, deny_rfc6890: true, allow_localhost: true, deny: ['188.8.131.52/8', '184.108.40.206/7'], allow: ['192.168.0.0/24'] builder.adapter .default_adapter end faraday.get 'http://www.badgerbadgerbadger.com' # 220.127.116.11 or something # => cool faraday.get 'http://malicious-callback.com' # 18.104.22.168, maybe a secret internal server? Maybe not? # => raises Faraday::RestrictIPAddresses::AddressNotAllowed
Permit/denied order is:
- All addresses are allowed, except
- Addresses that are denied, except
- Addresses that are allowed.
Dat @bhuga with shoutouts to @mastahyeti's gist.
It's right there.