lewis.moe / bspds-sandbox
this repo has no description
fork atom
bspds-sandbox / src / api / proxy_client.rs
at d01c1445b6b69d47e67107496c9c8bc827fef5ce 7.5 kB view raw
1use reqwest::{Client, ClientBuilder, Url}; 2use std::net::{IpAddr, SocketAddr, ToSocketAddrs}; 3use std::sync::OnceLock; 4use std::time::Duration; 5use tracing::warn; 6 7pub const DEFAULT_HEADERS_TIMEOUT: Duration = Duration::from_secs(10); 8pub const DEFAULT_BODY_TIMEOUT: Duration = Duration::from_secs(30); 9pub const DEFAULT_CONNECT_TIMEOUT: Duration = Duration::from_secs(5); 10pub const MAX_RESPONSE_SIZE: u64 = 10 * 1024 * 1024; 11 12static PROXY_CLIENT: OnceLock<Client> = OnceLock::new(); 13 14pub fn proxy_client() -> &'static Client { 15 PROXY_CLIENT.get_or_init(|| { 16 ClientBuilder::new() 17 .timeout(DEFAULT_BODY_TIMEOUT) 18 .connect_timeout(DEFAULT_CONNECT_TIMEOUT) 19 .pool_max_idle_per_host(10) 20 .pool_idle_timeout(Duration::from_secs(90)) 21 .redirect(reqwest::redirect::Policy::none()) 22 .build() 23 .expect("Failed to build HTTP client - this indicates a TLS or system configuration issue") 24 }) 25} 26 27pub fn is_ssrf_safe(url: &str) -> Result<(), SsrfError> { 28 let parsed = Url::parse(url).map_err(|_| SsrfError::InvalidUrl)?; 29 30 let scheme = parsed.scheme(); 31 if scheme != "https" { 32 let allow_http = std::env::var("ALLOW_HTTP_PROXY").is_ok() 33 || url.starts_with("http://127.0.0.1") 34 || url.starts_with("http://localhost"); 35 36 if !allow_http { 37 return Err(SsrfError::InsecureProtocol(scheme.to_string())); 38 } 39 } 40 41 let host = parsed.host_str().ok_or(SsrfError::NoHost)?; 42 43 if host == "localhost" { 44 return Ok(()); 45 } 46 47 if let Ok(ip) = host.parse::<IpAddr>() { 48 if ip.is_loopback() { 49 return Ok(()); 50 } 51 if !is_unicast_ip(&ip) { 52 return Err(SsrfError::NonUnicastIp(ip.to_string())); 53 } 54 return Ok(()); 55 } 56 57 let port = parsed.port().unwrap_or(if scheme == "https" { 443 } else { 80 }); 58 let socket_addrs: Vec<SocketAddr> = match (host, port).to_socket_addrs() { 59 Ok(addrs) => addrs.collect(), 60 Err(_) => return Err(SsrfError::DnsResolutionFailed(host.to_string())), 61 }; 62 63 for addr in &socket_addrs { 64 if !is_unicast_ip(&addr.ip()) { 65 warn!( 66 "DNS resolution for {} returned non-unicast IP: {}", 67 host, 68 addr.ip() 69 ); 70 return Err(SsrfError::NonUnicastIp(addr.ip().to_string())); 71 } 72 } 73 74 Ok(()) 75} 76 77fn is_unicast_ip(ip: &IpAddr) -> bool { 78 match ip { 79 IpAddr::V4(v4) => { 80 !v4.is_loopback() 81 && !v4.is_broadcast() 82 && !v4.is_multicast() 83 && !v4.is_unspecified() 84 && !v4.is_link_local() 85 && !is_private_v4(v4) 86 } 87 IpAddr::V6(v6) => !v6.is_loopback() && !v6.is_multicast() && !v6.is_unspecified(), 88 } 89} 90 91fn is_private_v4(ip: &std::net::Ipv4Addr) -> bool { 92 let octets = ip.octets(); 93 octets[0] == 10 94 || (octets[0] == 172 && (16..=31).contains(&octets[1])) 95 || (octets[0] == 192 && octets[1] == 168) 96 || (octets[0] == 169 && octets[1] == 254) 97} 98 99#[derive(Debug, Clone)] 100pub enum SsrfError { 101 InvalidUrl, 102 InsecureProtocol(String), 103 NoHost, 104 NonUnicastIp(String), 105 DnsResolutionFailed(String), 106} 107 108impl std::fmt::Display for SsrfError { 109 fn fmt(&self, f: &mut std::fmt::Formatter<'_>) -> std::fmt::Result { 110 match self { 111 SsrfError::InvalidUrl => write!(f, "Invalid URL"), 112 SsrfError::InsecureProtocol(p) => write!(f, "Insecure protocol: {}", p), 113 SsrfError::NoHost => write!(f, "No host in URL"), 114 SsrfError::NonUnicastIp(ip) => write!(f, "Non-unicast IP address: {}", ip), 115 SsrfError::DnsResolutionFailed(host) => write!(f, "DNS resolution failed for: {}", host), 116 } 117 } 118} 119 120impl std::error::Error for SsrfError {} 121 122pub const HEADERS_TO_FORWARD: &[&str] = &[ 123 "accept-language", 124 "atproto-accept-labelers", 125 "x-bsky-topics", 126]; 127 128pub const RESPONSE_HEADERS_TO_FORWARD: &[&str] = &[ 129 "atproto-repo-rev", 130 "atproto-content-labelers", 131 "retry-after", 132 "content-type", 133]; 134 135pub fn validate_at_uri(uri: &str) -> Result<AtUriParts, &'static str> { 136 if !uri.starts_with("at://") { 137 return Err("URI must start with at://"); 138 } 139 140 let path = uri.trim_start_matches("at://"); 141 let parts: Vec<&str> = path.split('/').collect(); 142 143 if parts.is_empty() { 144 return Err("URI missing DID"); 145 } 146 147 let did = parts[0]; 148 if !did.starts_with("did:") { 149 return Err("Invalid DID in URI"); 150 } 151 152 if parts.len() > 1 { 153 let collection = parts[1]; 154 if collection.is_empty() || !collection.contains('.') { 155 return Err("Invalid collection NSID"); 156 } 157 } 158 159 Ok(AtUriParts { 160 did: did.to_string(), 161 collection: parts.get(1).map(|s| s.to_string()), 162 rkey: parts.get(2).map(|s| s.to_string()), 163 }) 164} 165 166#[derive(Debug, Clone)] 167pub struct AtUriParts { 168 pub did: String, 169 pub collection: Option<String>, 170 pub rkey: Option<String>, 171} 172 173pub fn validate_limit(limit: Option<u32>, default: u32, max: u32) -> u32 { 174 match limit { 175 Some(l) if l == 0 => default, 176 Some(l) if l > max => max, 177 Some(l) => l, 178 None => default, 179 } 180} 181 182pub fn validate_did(did: &str) -> Result<(), &'static str> { 183 if !did.starts_with("did:") { 184 return Err("Invalid DID format"); 185 } 186 187 let parts: Vec<&str> = did.split(':').collect(); 188 if parts.len() < 3 { 189 return Err("DID must have at least method and identifier"); 190 } 191 192 let method = parts[1]; 193 if method != "plc" && method != "web" { 194 return Err("Unsupported DID method"); 195 } 196 197 Ok(()) 198} 199 200#[cfg(test)] 201mod tests { 202 use super::*; 203 204 #[test] 205 fn test_ssrf_safe_https() { 206 assert!(is_ssrf_safe("https://api.bsky.app/xrpc/test").is_ok()); 207 } 208 209 #[test] 210 fn test_ssrf_blocks_http_by_default() { 211 let result = is_ssrf_safe("http://external.example.com/xrpc/test"); 212 assert!(matches!(result, Err(SsrfError::InsecureProtocol(_)) | Err(SsrfError::DnsResolutionFailed(_)))); 213 } 214 215 #[test] 216 fn test_ssrf_allows_localhost_http() { 217 assert!(is_ssrf_safe("http://127.0.0.1:8080/test").is_ok()); 218 assert!(is_ssrf_safe("http://localhost:8080/test").is_ok()); 219 } 220 221 #[test] 222 fn test_validate_at_uri() { 223 let result = validate_at_uri("at://did:plc:test/app.bsky.feed.post/abc123"); 224 assert!(result.is_ok()); 225 let parts = result.unwrap(); 226 assert_eq!(parts.did, "did:plc:test"); 227 assert_eq!(parts.collection, Some("app.bsky.feed.post".to_string())); 228 assert_eq!(parts.rkey, Some("abc123".to_string())); 229 } 230 231 #[test] 232 fn test_validate_at_uri_invalid() { 233 assert!(validate_at_uri("https://example.com").is_err()); 234 assert!(validate_at_uri("at://notadid/collection/rkey").is_err()); 235 } 236 237 #[test] 238 fn test_validate_limit() { 239 assert_eq!(validate_limit(None, 50, 100), 50); 240 assert_eq!(validate_limit(Some(0), 50, 100), 50); 241 assert_eq!(validate_limit(Some(200), 50, 100), 100); 242 assert_eq!(validate_limit(Some(75), 50, 100), 75); 243 } 244 245 #[test] 246 fn test_validate_did() { 247 assert!(validate_did("did:plc:abc123").is_ok()); 248 assert!(validate_did("did:web:example.com").is_ok()); 249 assert!(validate_did("notadid").is_err()); 250 assert!(validate_did("did:unknown:test").is_err()); 251 } 252}