Add policy

src/WebJobs.Script.WebHost/AntiSSRF/AntiSSRFConstants.cs

@@ -0,0 +1,10 @@
+// Copyright (c) .NET Foundation. All rights reserved.
+// Licensed under the MIT License. See License.txt in the project root for license information.
+
+namespace Microsoft.Azure.WebJobs.Script.WebHost
+{
+    public static class AntiSSRFConstants
+    {
+        public static readonly string AntiSSRFHttpClientName = "AntiSSRFClient";
+    }
+}

src/WebJobs.Script.WebHost/AntiSSRF/AntiSSRFServiceCollectionExtensions.cs

@@ -0,0 +1,23 @@
+// Copyright (c) .NET Foundation. All rights reserved.
+// Licensed under the MIT License. See License.txt in the project root for license information.
+
+using Microsoft.Extensions.DependencyInjection;
+using Microsoft.Internal.AntiSSRF;
+
+namespace Microsoft.Azure.WebJobs.Script.WebHost
+{
+    public static class AntiSSRFServiceCollectionExtensions
+    {
+        public static IServiceCollection AddAntiSSRFHttpClient(this IServiceCollection services)
+        {
+            // create and add SSRF HTTP client
+            var policy = new AntiSSRFPolicy();
+            policy.SetDefaults();
+            var handler = policy.GetHandler();
+            services.AddHttpClient(AntiSSRFConstants.AntiSSRFHttpClientName)
+                .ConfigurePrimaryHttpMessageHandler(() => handler);
+
+            return services;
+        }
+    }
+}

src/WebJobs.Script.WebHost/Management/AtlasInstanceManager.cs

@@ -1,4 +1,4 @@
-// Copyright (c) .NET Foundation. All rights reserved.
+// Copyright (c) .NET Foundation. All rights reserved.
 // Licensed under the MIT License. See License.txt in the project root for license information.
 
 using System;
@@ -39,7 +39,7 @@ public AtlasInstanceManager(IOptionsFactory<ScriptApplicationHostOptions> option
             IPackageDownloadHandler packageDownloadHandler) : base(httpClientFactory, webHostEnvironment,
             environment, logger, metricsLogger, meshServiceClient)
         {
-            _client = httpClientFactory?.CreateClient() ?? throw new ArgumentNullException(nameof(httpClientFactory));
+            _client = httpClientFactory?.CreateClient(AntiSSRFConstants.AntiSSRFHttpClientName) ?? throw new ArgumentNullException(nameof(httpClientFactory));
             _webHostEnvironment = webHostEnvironment ?? throw new ArgumentNullException(nameof(webHostEnvironment));
             _logger = logger ?? throw new ArgumentNullException(nameof(logger));
             _metricsLogger = metricsLogger;
@@ -182,6 +182,7 @@ protected override async Task<string> DownloadWarmupAsync(RunFromPackageContext
             string error = null;
             HttpResponseMessage response = null;
             long? contentLength = null;
+
             try
             {
                 if (!string.IsNullOrEmpty(blobUri))

src/WebJobs.Script.WebHost/Management/LinuxSpecialization/PackageDownloadHandler.cs

@@ -1,4 +1,4 @@
-// Copyright (c) .NET Foundation. All rights reserved.
+// Copyright (c) .NET Foundation. All rights reserved.
 // Licensed under the MIT License. See License.txt in the project root for license information.
 
 using System;
@@ -34,7 +34,7 @@ public PackageDownloadHandler(IHttpClientFactory httpClientFactory, IManagedIden
             IBashCommandHandler bashCommandHandler, IEnvironment environment, IFileSystem fileSystem, ILogger<PackageDownloadHandler> logger,
             IMetricsLogger metricsLogger)
         {
-            _httpClient = httpClientFactory?.CreateClient() ?? throw new ArgumentNullException(nameof(httpClientFactory));
+            _httpClient = httpClientFactory?.CreateClient(AntiSSRFConstants.AntiSSRFHttpClientName) ?? throw new ArgumentNullException(nameof(httpClientFactory));
             _managedIdentityTokenProvider = managedIdentityTokenProvider ?? throw new ArgumentNullException(nameof(managedIdentityTokenProvider));
             _bashCommandHandler = bashCommandHandler ?? throw new ArgumentNullException(nameof(bashCommandHandler));
             _environment = environment ?? throw new ArgumentNullException(nameof(environment));

src/WebJobs.Script.WebHost/WebHostServiceCollectionExtensions.cs

@@ -144,6 +144,7 @@ public static void AddWebJobsScriptHost(this IServiceCollection services, IConfi
             services.AddSingleton<IFunctionMetadataManager, FunctionMetadataManager>();
             services.AddSingleton<IWebFunctionsManager, WebFunctionsManager>();
             services.AddHttpClient();
+            services.AddAntiSSRFHttpClient();
             services.AddBundlesHttpClient();
 
             services.AddSingleton<StartupContextProvider>();

src/WebJobs.Script.WebHost/WebJobs.Script.WebHost.csproj

@@ -72,6 +72,7 @@
     <PackageReference Include="Microsoft.Azure.WebSites.DataProtection" Version="2.1.91-alpha" />
     <PackageReference Include="Microsoft.IdentityModel.Tokens" Version="$(IdentityDependencyVersion)" />
     <PackageReference Include="Microsoft.IdentityModel.Protocols.OpenIdConnect" Version="$(IdentityDependencyVersion)" />
+    <PackageReference Include="Microsoft.Internal.AntiSSRF" Version="2.2.1" />
     <PackageReference Include="Microsoft.Security.Utilities" Version="1.3.0" />
     <PackageReference Include="Newtonsoft.Json" Version="13.0.3" />
     <PackageReference Include="StyleCop.Analyzers" Version="1.2.0-beta.556" PrivateAssets="all" />

src/WebJobs.Script/ExtensionBundle/BundlesServiceCollectionExtensions.cs

@@ -3,8 +3,6 @@
 
 using System;
 using System.Net;
-using System.Net.Http;
-using System.Runtime.InteropServices;
 using Microsoft.Extensions.DependencyInjection;
 using Microsoft.Extensions.Logging;
 using Polly;