danog/psalm
1
0
Fork 0
mirror of https://github.com/danog/psalm.git synced 2024-11-27 04:45:20 +01:00
Code Issues Projects Releases Wiki Activity
11e60fa261
psalm/docs/running_psalm/issues/TaintedSSRF.md
Lukas Reschke 5ba4681c17
Add SSRF sinks (#4592)
2020-11-18 00:52:48 -05:00

1.1 KiB
Raw Blame History

TaintedSSRF

Potential Server-Side Request Forgery vulnerability. This rule is emitted when user-controlled input can be passed into a network request.

Risk

Passing untrusted user input to network requests could be dangerous.

If an attacker can fully control a HTTP request they could connect to internal services. Depending on the nature of these, this can pose a security risk. (e.g. backend services, admin interfaces, AWS metadata, ...)

Example

<?php
$ch = curl_init();

curl_setopt($ch, CURLOPT_URL, $_GET['url']);

curl_exec($ch);

curl_close($ch);

Mitigations

Mitigating SSRF vulnerabilities can be tricky. Disallowing IPs would likely not work as an attacker could create a malicious domain that points to an internal DNS name.

Consider:

  1. Having an allow list of domains that can be connected to.
  2. Pointing cURL to a proxy that has no access to internal resources.

Further resources