# Server-Side Request Forgery (SSRF)

- ID: go-ssrf
- Severity: HIGH
- CWE: Server-Side Request Forgery (CWE-918)
- Languages: Go
- Frameworks: stdlib, gin, echo, fiber, chi, gorilla

## Description

Detects user input flowing to HTTP client requests, enabling Server-Side Request Forgery attacks.

## Detection Message

Untrusted input from {source} reaches HTTP request at {sink}.
This allows an attacker to make the server perform requests to arbitrary URLs,
potentially accessing internal services or performing port scanning.

## Remediation

Validate URLs against an allowlist of permitted domains.

```go
allowed := map[string]bool{"api.example.com": true}
parsed, _ := url.Parse(targetURL)
if !allowed[parsed.Host] {
    return errors.New("domain not allowed")
}
```

Learn more: https://shoulder.dev/learn/go/cwe-918/ssrf

## Documentation

[object Object]

## Related Rules

- **SSRF in Next.js Server Actions** [HIGH]: 
- **Server-Side Request Forgery via HTTP Requests** [HIGH]: 
- **Server-Side Request Forgery (SSRF)** [HIGH]: