feat: Implement secure dialer to prevent SSRF (#92)

This commit introduces a custom `net.Dialer` for the application's `httpClient` to mitigate Server-Side Request Forgery (SSRF) vulnerabilities.

The key changes are:
- A new `newSafeDialer` function creates a dialer with a `Control` function that inspects the IP address at connection time.
- The dialer blocks connections to private, loopback, and link-local IP addresses.
- The global `httpClient` is now configured to use this secure dialer.
- The previous, less secure IP validation in `normalizeAndValidateURL` has been removed to eliminate Time-of-Check-to-Time-of-Use (TOCTOU) vulnerabilities.
- A new test, `TestSSRFProtection`, has been added to verify that the dialer correctly blocks connections to local addresses.

Co-authored-by: google-labs-jules[bot] <161369871+google-labs-jules[bot]@users.noreply.github.com>

Author: google-labs-jules[bot]

api/index.go

@@ -12,6 +12,7 @@ import (
 	"net/http"
 	"net/url"
 	"strings"
+	"syscall"
 	"time"
 
 	"codeberg.org/readeck/go-readability/v2"
@@ -41,6 +42,9 @@ var (
 	ReadabilityParser = readability.NewParser()
 	// httpClient used for fetching remote articles with timeouts and redirect policy
 	httpClient = &http.Client{
+		Transport: &http.Transport{
+			DialContext: newSafeDialer().DialContext,
+		},
 		Timeout: 10 * time.Second,
 		CheckRedirect: func(req *http.Request, via []*http.Request) error {
 			if len(via) >= 5 {
@@ -53,6 +57,30 @@ var (
 	maxContentBytes = int64(2 * 1024 * 1024)
 )
 
+func newSafeDialer() *net.Dialer {
+	dialer := &net.Dialer{
+		Timeout:   30 * time.Second,
+		KeepAlive: 30 * time.Second,
+		Control: func(network, address string, c syscall.RawConn) error {
+			host, _, err := net.SplitHostPort(address)
+			if err != nil {
+				return err
+			}
+			ips, err := net.LookupIP(host)
+			if err != nil {
+				return err
+			}
+			for _, ip := range ips {
+				if ip.IsPrivate() || ip.IsLoopback() || ip.IsLinkLocalUnicast() || ip.IsLinkLocalMulticast() {
+					return errors.New("refusing to connect to private network address")
+				}
+			}
+			return nil
+		},
+	}
+	return dialer
+}
+
 const defaultUserAgent = "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36 Edg/134.0.0.0"
 
 func fetchAndParse(ctx context.Context, link *url.URL, userAgent string) (readability.Article, error) {
@@ -99,16 +127,6 @@ func normalizeAndValidateURL(rawLink string) (*url.URL, error) {
 	if link.Scheme != "http" && link.Scheme != "https" {
 		return nil, errors.New("unsupported URL scheme")
 	}
-	host := link.Hostname()
-	// resolve and block private IPs
-	ips, err := net.LookupIP(host)
-	if err == nil {
-		for _, ip := range ips {
-			if ip.IsPrivate() || ip.IsLoopback() || ip.IsLinkLocalUnicast() || ip.IsLinkLocalMulticast() {
-				return nil, errors.New("refusing private network address")
-			}
-		}
-	}
 	return link, nil
 }
 

api/index_test.go

@@ -19,8 +19,6 @@ func TestNormalizeAndValidateURL(t *testing.T) {
 		{"example.com", "https://example.com", false},
 		{"http://foo.bar", "http://foo.bar", false},
 		{"ftp://foo.bar", "", true},
-		{"127.0.0.1", "", true},
-		{"192.168.0.5/path", "", true},
 	}
 	for _, tt := range tests {
 		u, err := normalizeAndValidateURL(tt.raw)
@@ -77,3 +75,30 @@ func TestFetchAndParse(t *testing.T) {
 		t.Errorf("Article.Content missing expected paragraph, got: %q", content.String())
 	}
 }
+
+func TestSSRFProtection(t *testing.T) {
+	// a dummy server that should never be reached
+	srv := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		t.Fatal("dialer did not block private IP, connection was made")
+	}))
+	defer srv.Close()
+
+	// get loopback address of the server
+	// srv.URL will be something like http://127.0.0.1:54321
+	// we want to test if the dialer blocks the connection to 127.0.0.1
+	// so, we don't use the server's client, we use our own httpClient
+	req, err := http.NewRequest("GET", srv.URL, nil)
+	if err != nil {
+		t.Fatalf("failed to create request: %v", err)
+	}
+
+	_, err = httpClient.Do(req)
+	if err == nil {
+		t.Fatal("expected an error when dialing a private IP, but got none")
+	}
+	// check if the error is the one we expect from our dialer
+	// the error is wrapped, so we need to check for the substring
+	if !strings.Contains(err.Error(), "refusing to connect to private network address") {
+		t.Errorf("expected error to contain 'refusing to connect to private network address', but got: %v", err)
+	}
+}