Unsanitized user input in HTTP request (SSRF)

• Rule ID: ruby_lang_http_url_using_user_input
• Languages: ruby
• Source: http_url_using_user_input.yml

Description

Including user input when constructing URLs makes your application vulnerable to Server-Side Request Forgery (SSRF), which allows attackers to manipulate the server into making requests to unintended locations.

Remediations

• Do not directly incorporate user input into HTTP URLs. This can lead to SSRF vulnerabilities.

  Faraday.get("https://#{params[:host]}") # unsafe

• Do validate or map user input against a predefined list of safe values before using it to form URLs. This approach reduces the risk of SSRF attacks.

  host =
    case params[:host]
    when "option1"
      "api1.com"
    when "option2"
      "api2.com"
    end
  
  Faraday.get("https://#{host}")

Associated CWE

• CWE-918: Server-Side Request Forgery (SSRF)

OWASP Top 10

• A10:2021 - Server-side Request Forgery (SSRF)

Configuration

To skip this rule during a scan, use the following flag

bearer scan /path/to/your-project/ --skip-rule=ruby_lang_http_url_using_user_input

To run only this rule during a scan, use the following flag

bearer scan /path/to/your-project/ --only-rule=ruby_lang_http_url_using_user_input