You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
minor #15912 Add a mention of NoPrivateNetworkHttpClient and SSRF to the docs (Seldaek)
This PR was submitted for the 5.1 branch but it was merged into the 5.3 branch instead.
Discussion
----------
Add a mention of NoPrivateNetworkHttpClient and SSRF to the docs
Stolen a bunch of content from https://symfony.com/blog/new-in-symfony-5-1-server-side-request-forgery-protectionFixes#13031
Commits
-------
df4fd60 Add a mention of NoPrivateNetworkHttpClient and SSRF to the docs
Copy file name to clipboardExpand all lines: http_client.rst
+23-1Lines changed: 23 additions & 1 deletion
Original file line number
Diff line number
Diff line change
@@ -784,6 +784,28 @@ Alternatively, you can also disable ``verify_host`` and ``verify_peer`` (see
784
784
:ref:`http_client config reference <reference-http-client>`), but this is not
785
785
recommended in production.
786
786
787
+
SSRF (Server-side request forgery) Handling
788
+
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
789
+
790
+
[SSRF](https://portswigger.net/web-security/ssrf) allows an attacker to induce the backend application to make HTTP requests to an arbitrary domain. These attacks can also target the internal hosts and IPs of the attacked server.
791
+
792
+
If you use an ``HttpClient`` together with user-provided URIs, it is probably a good idea to decorate it with a ``NoPrivateNetworkHttpClient``. This will ensure local networks are made inaccessible to the HTTP client::
793
+
794
+
use Symfony\Component\HttpClient\HttpClient;
795
+
use Symfony\Component\HttpClient\NoPrivateNetworkHttpClient;
796
+
797
+
$client = new NoPrivateNetworkHttpClient(HttpClient::create());
798
+
// nothing changes when requesting public networks
799
+
$client->request('GET', 'https://example.com/');
800
+
801
+
// however, all requests to private networks are now blocked by default
802
+
$client->request('GET', 'http://localhost/');
803
+
804
+
// the second optional argument defines the networks to block
805
+
// in this example, requests from 104.26.14.0 to 104.26.15.255 will result in an exception
806
+
// but all the other requests, including other internal networks, will be allowed
807
+
$client = new NoPrivateNetworkHttpClient(HttpClient::create(), ['104.26.14.0/23']);
808
+
787
809
Performance
788
810
-----------
789
811
@@ -1074,7 +1096,7 @@ This behavior provided at destruction-time is part of the fail-safe design of th
1074
1096
component. No errors will be unnoticed: if you don't write the code to handle
1075
1097
errors, exceptions will notify you when needed. On the other hand, if you write
1076
1098
the error-handling code (by calling ``$response->getStatusCode()``), you will
1077
-
opt-out from these fallback mechanisms as the destructor won't have anything
1099
+
opt-out from these fallback mechanisms as the destructor won't have anything
0 commit comments