Prevent Faraday from hitting an arbitrary list of IP addresses, with helpers for RFC 1918 networks, RFC 6890 networks, and localhost.

System DNS facilities are used, so lookups should be cached instead of making another request. Addresses are invalid if a host has has at least one invalid DNS entry.


faraday = Faraday.new do |builder|
  builder.request :url_encoded
  builder.request :restrict_ip_addresses, deny_rfc6890: true,
                                          allow_localhost: true,
                                          deny: ['',
                                          allow: ['']
  builder.adapter Faraday.default_adapter

faraday.get 'http://www.badgerbadgerbadger.com' # or something
# => cool

faraday.get 'http://malicious-callback.com'      #, maybe a secret internal server? Maybe not?
# => raises Faraday::RestrictIPAddresses::AddressNotAllowed

Permit/denied order is:

  • All addresses are allowed, except
  • Addresses that are denied, except
  • Addresses that are allowed.


Dat @bhuga with shoutouts to @mastahyeti's gist.


It's right there.