AntiSSRFPolicy.addDeniedAddresses Method
Definition
Adds IP networks to be explicitly blocked by the policy.
addDeniedAddresses(networks: string[]): void
allowedAddressestakes precedence overdeniedAddresses. If an IP address matches both, it will be considered allowed by the policy.
denyAllUnspecifiedIPstakes precedence overdeniedAddresses. IfdenyAllUnspecifiedIPsistrue,deniedAddresseswill not be considered when determining if an IP address is allowed or blocked by the policy.
Parameters
networks: string[]
The list of IP networks to be explicitly blocked by the policy.
Networks can be:
- IPv4 addresses in dotted-quad notation
- ex.
127.0.0.1
- ex.
- IPv6 addresses in expanded notation
x:x:x:x:x:x:x:x, where thexs are one to four hexadecimal digits- ex.
ABCD:EF01:2345:6789:ABCD:EF01:2345:6789
- ex.
- IPv6 addresses in compressed notation, where one group of consecutive 0s is represented with
::- ex.
ABCD::,::1,ABCD:EF01::2345:6789
- ex.
- IPv6 in mixed notation
x:x:x:x:x:x:d.d.d.d, where thexs are hexadecimal values and theds are decimal- ex.
::FFFF:127.0.0.1
- ex.
- Any of the above addresses with a decimal prefix length
<ip-address>/<prefix-length>- ex.
192.0.2.0/24,2001:db8::/32
- ex.
Errors
AntiSSRFError
- The
networksargument isnullorundefined. - Some
networkinnetworksis not a valid format. denyAllUnspecifiedIPsis already set totrue.
Examples
const { AntiSSRFPolicy, PolicyConfigOptions } = require('@microsoft/antissrf');
const https = require('https');
// Customize the policy
const policy = new AntiSSRFPolicy(PolicyConfigOptions.None);
policy.addDeniedAddresses(["1.2.3.4"]);
const options = {
hostname: '<some_untrusted_hostname>',
path: '/public/data',
agent: policy.getHttpsAgent()
};
const req = https.request(options, (res) => {
// If the untrusted hostname directs to anything besides 1.2.3.4,
// the request will succeed here
});
req.on('error', (err) => {
// If untrusted hostname directs to 1.2.3.4,
// the request will fail here with an AntiSSRFError
});
req.end();