SSRF防护机制详解与企业级隔离实践

SSRF防护机制详解与企业级隔离实践概述SSRF通过让服务器访问攻击者控制的目标资源以窃取内网数据或元数据。通过地址段阻断、允许名单与出口代理可显著降低风险。地址段阻断与解析const privateCidrs = [

'10.0.0.0/8',

'172.16.0.0/12',

'192.168.0.0/16',

'127.0.0.0/8',

'169.254.0.0/16',

'::1/128',

'fc00::/7'

]

function parseAndValidateUrl(input: string, allowSchemes: string[], allowHosts: string[]): URL | null {

try {

const u = new URL(input)

if (!allowSchemes.includes(u.protocol.replace(':', ''))) return null

if (allowHosts.length && !allowHosts.includes(u.hostname)) return null

return u

} catch {

return null

}

}

DNS与IP校验async function resolveAndCheck(host: string): Promise<boolean> {

const ips = await dnsLookupAll(host)

for (const ip of ips) {

if (isPrivate(ip)) return false

}

return true

}

function isPrivate(ip: string): boolean {

return matchCidrs(ip, privateCidrs)

}

出口代理与网段隔离async function safeFetch(u: URL, opts: { timeoutMs: number; maxBytes: number }): Promise<ArrayBuffer | null> {

const ctl = new AbortController()

const t = setTimeout(() => ctl.abort(), opts.timeoutMs)

const res = await fetch(u.toString(), { signal: ctl.signal })

if (!res.ok) return null

const reader = res.body!.getReader()

let read = 0

const chunks: Uint8Array[] = []

while (true) {

const { value, done } = await reader.read()

if (done) break

read += value.length

if (read > opts.maxBytes) return null

chunks.push(value)

}

clearTimeout(t)

return concat(chunks)

}

云环境元数据保护默认阻断对 `169.254.169.254` 等元数据地址的访问必要场景通过受控代理并最小字段暴露记录访问尝试并触发高优先级告警运维与测试对外访问统一走出口代理并按CIDR过滤启用DNS固定与解析结果校验，防止重绑定在集成测试中覆盖私网/环回/链路本地与元数据地址该方案在常见Web与微服务场景下可达成稳健的SSRF防护与隔离。