Recommendations on handling SSRF?

[SorteKanin]

I'm looking into using reqwest with user-submitted URLs, which brings some danger due to server-side request forgery.

One possible way I can see to handle this is to use a custom DNS resolver via the dns_resolver method, then verify that the resolved IP is a "normal" public IP and not an internal/private/reserved IP.

However, I'd prefer if there was a way I could do this without touching the DNS resolution, as I really want to just perform some checks on the resolved IPs. I'm also concerned if this is adequate to protect against SSRF in general.

Any suggestions or is dns_resolver the way to go? Would a feature request for something along these lines make sense? Maybe an easy security function in the same vein as .https_only(true) would be nice, like .public_ips_only(true)?

For example, I was thinking something along these lines, but it forces me to override the DNS and that's kind of tangential to my goal here:

use std::sync::Arc;

use bogon::BogonExt;
use reqwest::{
    dns::{Addrs, Name, Resolve, Resolving},
    ClientBuilder,
};

#[tokio::main]
async fn main() -> Result<(), anyhow::Error> {
    let client = ClientBuilder::new()
        .dns_resolver(Arc::new(SsrfResolver))
        .build()?;

    assert!(client.get("https://localhost").send().await.is_err());
    assert!(client.get("https://example.org").send().await.is_ok());

    Ok(())
}

struct SsrfResolver;

impl Resolve for SsrfResolver {
    fn resolve(&self, name: Name) -> Resolving {
        Box::pin(resolve_name_and_check_ip(name))
    }
}

async fn resolve_name_and_check_ip(
    name: Name,
) -> Result<Addrs, Box<dyn std::error::Error + Send + Sync>> {
    let non_bogus_ips = tokio::net::lookup_host((name.as_str().to_string(), 0))
        .await?
        .filter(|socket| !socket.ip().is_bogon());

    Ok(Box::new(non_bogus_ips))
}