Metastatic.Analysis.BusinessLogic.SSRFVulnerability
(Metastatic v0.10.4)
View Source
Detects potential Server-Side Request Forgery (SSRF) vulnerabilities (CWE-918).
This analyzer identifies code patterns where user-controlled input is used to construct URLs that are then fetched by the server, potentially allowing attackers to access internal resources.
Cross-Language Applicability
SSRF is a universal web vulnerability:
- Elixir:
HTTPoison.get(params["url"]) - Python:
requests.get(request.args.get('url')) - JavaScript/Node:
axios.get(req.body.url) - Ruby:
Net::HTTP.get(URI(params[:url])) - PHP:
file_get_contents($_GET['url']) - Java:
new URL(request.getParameter("url")).openStream() - C#:
WebClient.DownloadString(Request.QueryString["url"]) - Go:
http.Get(r.FormValue("url"))
Problem
When URLs are constructed from user input without validation:
- Attackers can make the server request internal resources
- Can scan internal networks and services
- Can access cloud metadata endpoints (169.254.169.254)
- Can bypass firewall restrictions
- Can exfiltrate sensitive data
Detection Strategy
Detects patterns where:
- HTTP client functions receive user-controlled URLs
- URL construction concatenates user input
- No URL validation/allowlisting is apparent
Examples
Bad (Elixir)
def fetch(conn, %{"url" => url}) do
{:ok, response} = HTTPoison.get(url)
json(conn, %{content: response.body})
endGood (Elixir)
@allowed_domains ["api.example.com", "cdn.example.com"]
def fetch(conn, %{"url" => url}) do
uri = URI.parse(url)
if uri.host in @allowed_domains and uri.scheme == "https" do
{:ok, response} = HTTPoison.get(url)
json(conn, %{content: response.body})
else
conn |> put_status(400) |> json(%{error: "Invalid URL"})
end
end