Unsanitized user input in HTTP request (SSRF)

Rule ID: java_lang_http_url_using_user_input
Languages: java
Source: http_url_using_user_input.yml

Description

Directly incorporating user input into HTTP request URLs can lead to Server-Side Request Forgery (SSRF) attacks. This vulnerability occurs when an attacker can control the destination of an HTTP request sent by the server.

Remediations

Do not concatenate or include user input directly in URLs for HTTP requests. This practice can allow attackers to manipulate requests to unauthorized or malicious sites.
```
new URL(request.getParameter("someRandomUrl")).getContent(); // unsafe
```
Do validate or map user inputs to predefined options before using them to construct URLs. This approach ensures that the application only requests URLs to known, safe destinations.
```
String url;
if (request.getParameter("selectedUrl").equals("option1")) {
  url = "https://api1.com";
} else {
  url = "https://api2.com";
}

new URL(url).getContent();
```

Associated CWE

CWE-918: Server-Side Request Forgery (SSRF)

OWASP Top 10

A10:2021 - Server-side Request Forgery (SSRF)

Configuration

To skip this rule during a scan, use the following flag

bearer scan /path/to/your-project/ --skip-rule=java_lang_http_url_using_user_input

To run only this rule during a scan, use the following flag

bearer scan /path/to/your-project/ --only-rule=java_lang_http_url_using_user_input