CRITICAL
Rule Definition
Passing untrusted user input to network requests could be dangerous.
If an attacker can fully control a HTTP request they could connect to internal services. Depending on the nature of these, this can pose a security risk. (e.g. backend services, admin interfaces, AWS metadata, ...)
Remediation
Mitigating SSRF vulnerabilities can be tricky. Disallowing IPs would likely not work as an attacker could create a malicious domain that points to an internal DNS name. Consider:
- Having an allow list of domains that can be connected to.
- Pointing cURL to a proxy that has no access to internal resources.
Violation Code Sample
<?php
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $_GET['url']); // VIOLATION
curl_exec($ch);
curl_close($ch);
Fixed Code Sample
<?php
$ch = curl_init();
/**
* @psalm-taint-escape ssrf
*/
function my_escaping_function_for_urls(string input) : string {
// Check that input is part of a hard-coded white-list of permitted domains
};
$name = my_escaping_function_for_urls($_GET['url']); // FUNCTION ANNOTATED WITH "@psalm-taint-escape ssrf"
curl_setopt($ch, CURLOPT_URL, $url); // FIXED
curl_exec($ch);
curl_close($ch);
Reference
CWE-918: Server-Side Request Forgery (SSRF)
https://cwe.mitre.org/data/definitions/918
OWASP Wiki for Server Side Request Forgery
https://owasp.org/www-community/attacks/Server_Side_Request_Forgery
Related Technologies
Technical Criterion
CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
About CAST Appmarq
CAST Appmarq is by far the biggest repository of data about real IT systems. It's built on thousands of analyzed applications, made of 35 different technologies, by over 300 business organizations across major verticals. It provides IT Leaders with factual key analytics to let them know if their applications are on track.