# Server-Side Request Forgery (SSRF) (CWE-918)

The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination.

**Stack:** JavaScript

- Prevalence: Moyenne 3 langages couverts
- Impact: Élevé 4 règles de sévérité élevée
- Prevention: Documentée 4 exemples de correctifs

**OWASP:** Server-Side Request Forgery (A10:2021-Server-Side Request Forgery) - #10

## Description

By providing URLs to unexpected hosts or ports, attackers can make it appear that the server is sending the request, possibly bypassing access controls such as firewalls.

## Prevention

Stratégies de prévention pour Server-Side Request Forgery basées sur 2 règles de détection Shoulder.

### JavaScript

Validate URLs against an allowlist of permitted domains before fetching

Validate URLs against domain allowlist before making requests

## Warning Signs

- [HIGH] Server Action '...' has SSRF vulnerability: user input controls HTTP request URL
- [HIGH] user-controlled input flowing into HTTP request URLs in Server Actions
- [HIGH] user input flowing into HTTP request functions without URL validation

## Consequences

- Lecture des données de l'application
- Contourner le mécanisme de protection
- Exécuter des commandes non autorisées

## Mitigations

- Utilisez une liste d'autorisation des destinations permises
- Désactivez les schémas d'URL inutiles (file://, gopher://)
- Utilisez une segmentation au niveau réseau

## Detection

- Total rules: 4
- Languages: go, javascript, typescript, python

## Rules by Language

### Javascript (2 rules)

- **SSRF in Next.js Server Actions** [HIGH]: Detects user-controlled input flowing into HTTP request URLs in Server Actions.
  - Remediation: Validate and sanitize URLs before making HTTP requests. Use allowlists.
See remediation section for examples.
- **Server-Side Request Forgery via HTTP Requests** [HIGH]: Detects user input flowing into HTTP request functions without URL validation.
  - Remediation: Validate URLs against an allowlist of permitted domains before making requests.

```javascript
const url = new URL(userInput);
if (ALLOWED_DOMAINS.includes(url.hostname)) {
  axios.get(userInput);
}
```

Learn more: https://shoulder.dev/learn/javascript/cwe-918/ssrf

### Typescript (2 rules)

- **SSRF in Next.js Server Actions** [HIGH]: Detects user-controlled input flowing into HTTP request URLs in Server Actions.
  - Remediation: Validate and sanitize URLs before making HTTP requests. Use allowlists.
See remediation section for examples.
- **Server-Side Request Forgery via HTTP Requests** [HIGH]: Detects user input flowing into HTTP request functions without URL validation.
  - Remediation: Validate URLs against an allowlist of permitted domains before making requests.

```javascript
const url = new URL(userInput);
if (ALLOWED_DOMAINS.includes(url.hostname)) {
  axios.get(userInput);
}
```

Learn more: https://shoulder.dev/learn/javascript/cwe-918/ssrf