v1.0

Author: Include Security

LICENSE

@@ -0,0 +1,20 @@
+The MIT License (MIT)
+
+Copyright (c) 2016 Include Security
+
+Permission is hereby granted, free of charge, to any person obtaining a copy of
+this software and associated documentation files (the "Software"), to deal in
+the Software without restriction, including without limitation the rights to
+use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of
+the Software, and to permit persons to whom the Software is furnished to do so,
+subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS
+FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR
+COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER
+IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
+CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.

README.md

@@ -0,0 +1,33 @@
+# SafeURL for Scala
+### Originally Ported by [@saelo](https://github.com/saelo)
+
+## Overview
+SafeURL is a library that aids developers in protecting against a class of vulnerabilities known as [Server Side Request Forgery](http://www.acunetix.com/blog/articles/server-side-request-forgery-vulnerability/). It does this by validating each part of the URL against a configurable white or black list before making an HTTP request. S
+afeURL is open-source and licensed under MIT.
+
+## Installation
+Clone this repository and import it into your project.
+
+## Implementation
+SafeURL replaces the Java methods in the [URLConnection](https://docs.oracle.com/javase/7/docs/api/java/net/URLConnection.html) class that are normally used to make HTTP requests in Scala.
+
+```scala
+  try {
+    //User controlled input
+    val url = url_
+    //Execute using SafeURL
+    val resp = SafeURL.fetch(url)
+    val r = Await.result(resp, 500 millis)
+  } catch {
+    //URL wasnt safe
+  }
+```
+## Configuration
+Options such as white and black lists can be modified. For example:
+
+```scala
+//Deny requests to specific IPs
+SafeURL.defaultConfiguration.lists.ip.blacklist ::= "12.34.0.0/16"
+//Deny requests to specific domains
+SafeURL.defaultConfiguration.lists.domain.blacklist ::= "example.com"
+```

examples/BasicExample.scala

@@ -0,0 +1,47 @@
+import scala.concurrent.ExecutionContext.Implicits.global
+import scala.concurrent.Await
+import scala.concurrent.duration._
+
+import com.includesecurity.safeurl._
+
+object BasicExample {
+  def main(Args: Array[String]) {
+    //
+    // Asyncronous example
+    // 
+    var futureResponse = SafeURL.fetch("http://icanhazip.com")
+    futureResponse onSuccess {
+      case response => println(response.asString.trim)
+    }
+
+    //
+    // Syncronous example
+    //
+    futureResponse = SafeURL.fetch("http://icanhazip.com")
+    val response = Await.result(futureResponse, 5000 millis)
+    println(response.asString.trim)
+
+
+    //
+    // Dealing with errors
+    //
+    futureResponse = SafeURL.fetch("file:///etc/passwd")
+    futureResponse onSuccess {
+      case response => println(response.asString)
+    }
+    futureResponse onFailure {
+      case error => println(error.toString)
+    }
+
+    futureResponse = SafeURL.fetch("http://192.168.1.1/secret")
+    try {
+      val response = Await.result(futureResponse, 5000 millis)
+    } catch {
+      case DisallowedURLException(URLPart.IP, ip, _) => println("Sorry, you can't access that IP (" + ip + ")")
+      case e: DisallowedURLException => println("Access denied")
+    }
+
+    // wait for asyncronous tasks to finish
+    Thread.sleep(1000)
+  }
+}

examples/ConfigurationExample.scala

@@ -0,0 +1,30 @@
+import scala.concurrent.ExecutionContext.Implicits.global
+import scala.concurrent.Await
+import scala.concurrent.duration._
+
+import com.includesecurity.safeurl._
+
+object ConfigurationExample {
+  def main(args: Array[String]) {
+    //
+    // Modify the default configuration
+    //
+    SafeURL.defaultConfiguration.lists.ip.blacklist ::= "12.34.0.0/16"
+
+    try {
+      SafeURL.validate("http://12.34.43.21")
+    } catch {
+      case e: DisallowedURLException => println(e.toString)
+    }
+
+
+    //
+    // Use a custom configuration for a single request
+    //
+    var config = new Configuration
+    config.lists.protocol.whitelist ::= "ftp"
+
+    var futureResponse = SafeURL.fetch("ftp://cdimage.debian.org/debian-cd/7.6.0/amd64/iso-cd/SHA256SUMS", config)
+    println(Await.result(futureResponse, 5000 millis).asString.split('\n').head)
+  }
+}

examples/README.md

@@ -0,0 +1,6 @@
+SafeURL examples
+=================
+
+Do the following to run these:
+    scalac -sourcepath ../src/ BasicExample.scala
+    scala BasicExample

examples/ResponseExample.scala

@@ -0,0 +1,30 @@
+import scala.concurrent.ExecutionContext.Implicits.global
+import scala.concurrent.Await
+import scala.concurrent.duration._
+
+import com.includesecurity.safeurl.{SafeURL, Response}
+
+/** Example code to demonstrate the usage of [[safeurl.Response]] instances. */
+object ResponseExample {
+  def main(Args: Array[String]) {
+    val futureResponse = SafeURL.fetch("http://icanhazip.com")
+    val response = Await.result(futureResponse, 5000 millis)
+
+    val header = response.getHeader
+    println("Header: ")
+    header.foreach { case (key, list) => println(key + ": " + list.mkString(", ")) }
+
+    println()
+    println("Body: ")
+
+    println("As string: " + response.asString.trim)
+    println("As base64: " + response.asBase64)
+    println("As bytes: " + response.asBytes.map("%02x " format _).mkString)
+
+    println()
+
+    println("Writing response to file /tmp/response")
+    response saveToFile "/tmp/response"
+    println("Done")
+  }
+}

src/com/includesecurity/safeurl/Configuration.scala

@@ -0,0 +1,94 @@
+/* Configuration.scala - Library to protect agains SSRF.
+ * Pull requests are welcome, please find this tool hosted on http://github.com/IncludeSecurity
+ *
+ * The MIT License (MIT)
+ *
+ * Copyright (c) 2014 Samuel Groß
+ * Copyright (c) 2014 Include Security <info [at sign] includesecurity.com>
+ *
+ * Permission is hereby granted, free of charge, to any person obtaining a copy
+ * of this software and associated documentation files (the "Software"), to deal
+ * in the Software without restriction, including without limitation the rights
+ * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+ * copies of the Software, and to permit persons to whom the Software is
+ * furnished to do so, subject to the following conditions:
+ *
+ * The above copyright notice and this permission notice shall be included in
+ * all copies or substantial portions of the Software.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+ * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+ * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+ * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+ * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+ * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+ * THE SOFTWARE.
+ */
+
+package com.includesecurity.safeurl
+
+
+/** Access lists for the various parts of a URL. */
+class AccessList {
+  var whitelist: List[String] = Nil
+  var blacklist: List[String] = Nil
+}
+
+/** Contains an AccessList for each part of the URL that is validated. */
+class ListContainer {
+  var ip: AccessList = new AccessList
+  var port: AccessList = new AccessList
+  var domain: AccessList = new AccessList
+  var protocol: AccessList = new AccessList
+}
+
+/** SafeURL configuration.
+  *
+  * Stores the black- and whitelists used by SafeURL as well
+  * as some other configuration properties.
+  *
+  * Has secure defaults.
+  */
+class Configuration {
+  /** Do secure redirects, revalidate each redirect location first. */
+  var secureRedirects: Boolean = true
+
+  /** The maximum number of redirects SaveCurl will follow. */
+  var maxRedirects: Int = 20
+
+  /** Determines whether SafeURL will pin DNS entries, preventing DNS rebinding attacks. */
+  var pinDNS: Boolean = true
+
+  /** When a protocol is allowed also allow its default port. */
+  var allowDefaultPort: Boolean = true
+
+  /** Access lists for the various parts of a URL. */
+  var lists: ListContainer = Configuration.defaultAccessLists
+}
+
+object Configuration {
+  def defaultAccessLists: ListContainer = {
+    val lists = new ListContainer
+    lists.ip.blacklist = "0.0.0.0/8"       ::
+                         "10.0.0.0/8"      ::
+                         "100.64.0.0/10"   ::
+                         "127.0.0.0/8"     ::
+                         "169.254.0.0/16"  ::
+                         "172.16.0.0/12"   ::
+                         "192.0.0.0/29"    ::
+                         "192.0.2.0/24"    ::
+                         "192.88.99.0/24"  ::
+                         "192.168.0.0/16"  ::
+                         "198.18.0.0/15"   ::
+                         "198.51.100.0/24" ::
+                         "203.0.113.0/24"  ::
+                         "224.0.0.0/4"     ::
+                         "240.0.0.0/4"     ::
+                         Nil
+
+    lists.port.whitelist = "80" :: "8080" :: "443" :: Nil
+    lists.protocol.whitelist = "http" :: "https" :: Nil
+
+    lists
+  }
+}

src/com/includesecurity/safeurl/Response.scala

@@ -0,0 +1,61 @@
+/* Response.scala - Library to protect agains SSRF.
+ * Pull requests are welcome, please find this tool hosted on http://github.com/IncludeSecurity
+ *
+ * The MIT License (MIT)
+ *
+ * Copyright (c) 2014 Samuel Groß
+ * Copyright (c) 2014 Include Security <info [at sign] includesecurity.com>
+ *
+ * Permission is hereby granted, free of charge, to any person obtaining a copy
+ * of this software and associated documentation files (the "Software"), to deal
+ * in the Software without restriction, including without limitation the rights
+ * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+ * copies of the Software, and to permit persons to whom the Software is
+ * furnished to do so, subject to the following conditions:
+ *
+ * The above copyright notice and this permission notice shall be included in
+ * all copies or substantial portions of the Software.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+ * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+ * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+ * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+ * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+ * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+ * THE SOFTWARE.
+ */
+
+package com.includesecurity.safeurl
+
+import java.net.URLConnection
+import java.nio.file.{Paths, Files}
+import java.nio.charset.Charset
+import sun.misc.BASE64Encoder
+import java.io.{Reader, InputStreamReader}
+
+
+/** Stores the data returned by the remote server. */
+class Response(private val buf: Array[Byte], private val header: Map[String,List[String]]) {
+  /** Return the header of the response. */
+  def getHeader: Map[String,List[String]] = header
+
+  /** Return the response as a string. */
+  def asString(charset: Charset = Charset.defaultCharset): String = new String(buf, charset)
+  def asString: String = asString()     // TODO this looks weird, seems to be needed to support response.asString without ()
+
+  /** Return the response encoded using base64. */
+  def asBase64: String = new sun.misc.BASE64Encoder().encode(buf)
+
+  /** Return the response as raw byte array. */
+  def asBytes: Array[Byte] = buf.clone
+
+  /** Save the response data to a file.
+    *
+    * The file Will be created if it does not already exists. Existing data will be overwritten.
+    *
+    * @param path the path of the file to store the data in
+    * @throws IOException if an I/O error occured while writing to the file
+    * @throws InvalidPathException if the path string cannot be converted to a Path
+    */
+  def saveToFile(path: String): Unit = Files.write(Paths.get(path), buf)
+}