Risk of server-side request forgery detected.
- Rule ID: javascript_express_server_side_request_forgery
- Languages: javascript
- Source: server_side_request_forgery.yml
Description
Using unsanitized URLs from the request object when retrieving data puts your application at risk of server-side request forgery (SSRF) attacks. This rule checks for URLs containing user-supplied data.
Remediations
❌ Avoid using user input in URLs:
axios.get(`https://${req.params.host}`)
✅ Use user input indirectly to form a URL:
var host = "default-api.com"
if req.params.host == "something-else" {
host = "other-api.com"
}
axios.get(`https://${host}`)