Introducing dssrf: A Node.js Library That Eliminates SSRF by Design

[HackingRepo]

dssrf is a small, defensive library for Node.js that performs strict SSRF‑safety checks on untrusted URLs. It provides a simple async API that returns true for safe URLs and false for anything that resolves to internal, private, or otherwise unsafe network targets.

The goal is to give developers a minimal, deterministic, safe‑by‑default primitive for validating outbound request targets before passing them to an HTTP client.

Why this exists

Most SSRF defenses rely on URL parsing, allowlists, or ad‑hoc hostname checks. These approaches are fragile because:

• URL parsers behave inconsistently across runtimes
• DNS rebinding can bypass hostname checks
• IP literal formats (octal, hex, mixed) are easy to normalize incorrectly
• redirects can silently cross trust boundaries
• user input often reaches HTTP clients without validation

dssrf performs strict, forensic validation of the final resolved address and rejects anything that could target internal services or non‑public networks.

Usage

import { is_url_safe } from "dssrf";

const url = await is_url_safe("https://example.com");

if (!url) {
  throw new Error("SSRF attempt detected.");
}

// Safe to use url with your http client

What it checks

• private IPv4 ranges
• private IPv6 ranges
• localhost / loopback
• link‑local and multicast ranges
• IPv4‑in‑IPv6 embeddings
• malformed hostnames
• encoded or ambiguous IP formats
• DNS rebinding attempts
• unsafe redirects (blocked by default)
• The user info symbol (@) removed in the url and backlash replaced with slash

The function returns false for anything that resolves to an internal or ambiguous address.

What it is not

• not a general‑purpose HTTP client
• not a URL parser
• not a firewall
• not a proxy
• not a drop‑in replacement for fetch()

It is a small, focused primitive intended for code paths where untrusted input might influence request targets.

Repository

https://github.com/HackingRepo/dssrf-js

Feedback and design critiques are welcome.