Unsanitized user input in HTTP request (SSRF)
- Rule ID: javascript_express_server_side_request_forgery
- Languages: javascript
- Source: server_side_request_forgery.yml
Description
Using unsanitized URLs from the request object when retrieving data puts your application at risk of server-side request forgery (SSRF) attacks. This rule checks for URLs containing user-supplied data.
Remediations
❌ Avoid using user input in URLs:
axios.get(`https://${req.params.host}`)✅ Use user input indirectly to form a URL:
var host = "default-api.com"
if req.params.host == "something-else" {
host = "other-api.com"
}
axios.get(`https://${host}`)Resources
Associated CWE
OWASP Top 10
Configuration
To skip this rule during a scan, use the following flag
bearer scan /path/to/your-project/ --skip-rule=javascript_express_server_side_request_forgeryTo run only this rule during a scan, use the following flag
bearer scan /path/to/your-project/ --only-rule=javascript_express_server_side_request_forgery