BÊTA Shoulder est en bêta — Les résultats peuvent parfois être incorrects. Vos retours façonnent ce que nous corrigeons ensuite. Donner mon avis
Shoulder.dev

Renseignement sur les Menaces pour Développeurs
🌐

Server-Side Request Forgery (SSRF)

🛡️ 4 règles détectent ceci

Server-Side Request Forgery (SSRF)

The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination.

By providing URLs to unexpected hosts or ports, attackers can make it appear that the server is sending the request, possibly bypassing access controls such as firewalls.

Prévalence
Moyenne
3 langages couverts
Impact
Élevé
4 règles de sévérité élevée
Prévention
Documentée
4 exemples de correctifs
2 Prévention
2 Prévention

Comment corriger cette vulnérabilité

Stratégies de prévention pour Server-Side Request Forgery basées sur 4 règles de détection Shoulder.

🐹 Go Tout voir Go détails →
Server-Side Request Forgery (SSRF) HIGH

Parse URL and validate host against domain allowlist

+55 -11 go 
  package main
  
  import (
      "io"
-     "net/http"
- )
- 
- func handler(w http.ResponseWriter, r *http.Request) {
-     targetURL := r.URL.Query().Get("url")
-     // Vulnerable: user-controlled URL
-     resp, err := http.Get(targetURL)
-     if err != nil {
-         http.Error(w, err.Error(), 500)
-         return
-     }
+     "net"
+     "net/http"
+     "net/url"
+ )
+ 
+ var allowedDomains = map[string]bool{
+     "api.example.com": true,
+     "cdn.example.com": true,
+ }
+ 
+ func isPrivateIP(ip net.IP) bool {
+     private := []string{
+         "10.0.0.0/8", "172.16.0.0/12", "192.168.0.0/16",
+         "169.254.0.0/16", "127.0.0.0/8",
+     }
+     for _, cidr := range private {
+         _, network, _ := net.ParseCIDR(cidr)
+         if network.Contains(ip) {
+             return true
+         }
+     }
+     return false
+ }
+ 
+ func handler(w http.ResponseWriter, r *http.Request) {
+     targetURL := r.URL.Query().Get("url")
+ 
+     parsed, err := url.Parse(targetURL)
+     if err != nil {
+         http.Error(w, "Invalid URL", 400)
+         return
+     }
+ 
+     // Validate scheme
+     if parsed.Scheme != "https" {
+         http.Error(w, "HTTPS required", 400)
+         return
+     }
+ 
+     // Validate domain
+     if !allowedDomains[parsed.Host] {
+         http.Error(w, "Domain not allowed", 403)
+         return
+     }
+ 
+     // Block private IPs (DNS rebinding protection)
+     ips, _ := net.LookupIP(parsed.Hostname())
+     for _, ip := range ips {
+         if isPrivateIP(ip) {
+             http.Error(w, "Private IP not allowed", 403)
+             return
+         }
+     }
+ 
+     resp, _ := http.Get(targetURL)
      defer resp.Body.Close()
      io.Copy(w, resp.Body)
  }
🟨 JavaScript Tout voir JavaScript détails →
SSRF in Next.js Server Actions HIGH

Validate URLs against an allowlist of permitted domains before fetching

+8 -4 javascript 
  'use server'
- 
- export async function fetchData(url: string) {
-   const response = await fetch(url);
-   return await response.json();
+ const ALLOWED_DOMAINS = ['api.example.com', 'cdn.example.com'];
+ 
+ export async function fetchData(url: string) {
+   const parsed = new URL(url);
+   if (!ALLOWED_DOMAINS.includes(parsed.hostname)) {
+     throw new Error('URL not allowed');
+   }
+   return await fetch(url).then(r => r.json());
  }
Server-Side Request Forgery via HTTP Requests HIGH

Validate URLs against domain allowlist before making requests

+25 -5 javascript 
  const http = require('http');
- 
- function fetchUrl(url) {
-   // Vulnerable: no URL validation
-   return new Promise((resolve, reject) => {
-     http.get(url, (res) => {
+ const https = require('https');
+ 
+ const ALLOWED_DOMAINS = ['api.example.com', 'cdn.example.com'];
+ 
+ function fetchUrl(url) {
+   const parsed = new URL(url);
+ 
+   // Validate protocol
+   if (!['http:', 'https:'].includes(parsed.protocol)) {
+     throw new Error('Invalid protocol');
+   }
+ 
+   // Validate against allowlist
+   if (!ALLOWED_DOMAINS.includes(parsed.hostname)) {
+     throw new Error('Domain not allowed');
+   }
+ 
+   // Block private/internal IPs
+   if (isPrivateIP(parsed.hostname)) {
+     throw new Error('Private IP not allowed');
+   }
+ 
+   const client = parsed.protocol === 'https:' ? https : http;
+   return new Promise((resolve, reject) => {
+     client.get(url, (res) => {
        let data = '';
        res.on('data', chunk => data += chunk);
        res.on('end', () => resolve(data));
      }).on('error', reject);
    });
  }
4 Signes d'Alerte
4 Signes d'Alerte

Ce qu'il faut surveiller lors des revues de code

Ces patterns indiquent des vulnérabilités potentielles Server-Side Request Forgery (SSRF). Recherchez-les lors des revues de code et des audits de sécurité.

🟠
user input flowing to HTTP client requests, enabling Server-Side Request Forgery attacks go-ssrf
🟠
Server Action '...' has SSRF vulnerability: user input controls HTTP request URL javascript-nextjs-server-action-ssrf
🟠
user-controlled input flowing into HTTP request URLs in Server Actions javascript-nextjs-server-action-ssrf
🟠
user input flowing into HTTP request functions without URL validation javascript-ssrf
🟠
user input controlling URLs in HTTP requests, allowing requests to arbitrary destinations including python-ssrf
🔍

Scannez votre base de code pour Server-Side Request Forgery (SSRF)

Shoulder CLI trouve les motifs vulnérables dans toute votre base de code.

npx shoulder trust Parcourir toutes les règles