# Server-Side Request Forgery (SSRF) (CWE-918)

The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination.

**Stack:** Python

- Prevalence: Średnia Pokryto 3 języków
- Impact: Wysoki 4 reguł o wysokim poziomie
- Prevention: Udokumentowane 4 przykładów poprawek

**OWASP:** Server-Side Request Forgery (A10:2021-Server-Side Request Forgery) - #10

## Description

By providing URLs to unexpected hosts or ports, attackers can make it appear that the server is sending the request, possibly bypassing access controls such as firewalls.

## Prevention

Strategie zapobiegania dla Server-Side Request Forgery oparte na 1 regułach detekcji Shoulder.

### Python

Validate URLs against an allowlist of permitted domains

## Warning Signs

- [HIGH] user input controlling URLs in HTTP requests, allowing requests to
arbitrary destinations including 

## Consequences

- Odczyt danych aplikacji
- Obejście mechanizmu ochrony
- Wykonanie nieautoryzowanych poleceń

## Mitigations

- Stosuj listę dozwolonych celów
- Wyłącz zbędne schematy URL (file://, gopher://)
- Stosuj segmentację na poziomie sieci

## Detection

- Total rules: 4
- Languages: go, javascript, typescript, python

## Rules by Language

### Python (1 rules)

- **Server-Side Request Forgery (SSRF)** [HIGH]: Detects user input controlling URLs in HTTP requests, allowing requests to
arbitrary destinations including internal services and cloud metadata endpoints.
  - Remediation: Validate URLs against an allowlist of permitted domains.

```python
from urllib.parse import urlparse

ALLOWED_DOMAINS = {"api.github.com", "api.example.com"}
parsed = urlparse(user_url)
if parsed.hostname not in ALLOWED_DOMAINS:
    return "Invalid domain", 400
```

Learn more: https://shoulder.dev/learn/python/cwe-918/ssrf