mirror of
https://github.com/danog/psalm.git
synced 2024-12-11 16:59:45 +01:00
1.1 KiB
1.1 KiB
TaintedSSRF
Potential Server-Side Request Forgery vulnerability. This rule is emitted when user-controlled input can be passed into a network request.
Risk
Passing untrusted user input to network requests could be dangerous.
If an attacker can fully control a HTTP request they could connect to internal services. Depending on the nature of these, this can pose a security risk. (e.g. backend services, admin interfaces, AWS metadata, ...)
Example
<?php
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $_GET['url']);
curl_exec($ch);
curl_close($ch);
Mitigations
Mitigating SSRF vulnerabilities can be tricky. Disallowing IPs would likely not work as an attacker could create a malicious domain that points to an internal DNS name.
Consider:
- Having an allow list of domains that can be connected to.
- Pointing cURL to a proxy that has no access to internal resources.