Skip to content

Add a mention of NoPrivateNetworkHttpClient and SSRF to the docs #15912

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 1 commit into from
Oct 11, 2021
Merged

Add a mention of NoPrivateNetworkHttpClient and SSRF to the docs #15912

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
24 changes: 23 additions & 1 deletion http_client.rst
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -784,6 +784,28 @@ Alternatively, you can also disable ``verify_host`` and ``verify_peer`` (see
:ref:`http_client config reference <reference-http-client>`), but this is not
recommended in production.

SSRF (Server-side request forgery) Handling
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

[SSRF](https://portswigger.net/web-security/ssrf) allows an attacker to induce the backend application to make HTTP requests to an arbitrary domain. These attacks can also target the internal hosts and IPs of the attacked server.

If you use an ``HttpClient`` together with user-provided URIs, it is probably a good idea to decorate it with a ``NoPrivateNetworkHttpClient``. This will ensure local networks are made inaccessible to the HTTP client::

use Symfony\Component\HttpClient\HttpClient;
use Symfony\Component\HttpClient\NoPrivateNetworkHttpClient;

$client = new NoPrivateNetworkHttpClient(HttpClient::create());
// nothing changes when requesting public networks
$client->request('GET', 'https://example.com/');

// however, all requests to private networks are now blocked by default
$client->request('GET', 'http://localhost/');

// the second optional argument defines the networks to block
// in this example, requests from 104.26.14.0 to 104.26.15.255 will result in an exception
// but all the other requests, including other internal networks, will be allowed
$client = new NoPrivateNetworkHttpClient(HttpClient::create(), ['104.26.14.0/23']);

Performance
-----------

Expand Down Expand Up @@ -1074,7 +1096,7 @@ This behavior provided at destruction-time is part of the fail-safe design of th
component. No errors will be unnoticed: if you don't write the code to handle
errors, exceptions will notify you when needed. On the other hand, if you write
the error-handling code (by calling ``$response->getStatusCode()``), you will
opt-out from these fallback mechanisms as the destructor won't have anything
opt-out from these fallback mechanisms as the destructor won't have anything
remaining to do.

Concurrent Requests
Expand Down