User Input Controls Remote URL Destination
Description
Detected user input flowing into the construction of a URL, which can lead to Server-Side Request Forgery (SSRF). Use allowlists for host validation to prevent this vulnerability.
Examples
Insecure Code
java
new URL(userInput);Secure Code
java
if (allowlist.contains(url)) {
new URL(url);
}Remediation
Validate user input against an allowlist before constructing URLs.
Rule Details
| Field | Value |
|---|---|
| ID | CODE-0101 |
| Category | Injection |
| Severity | CRITICAL |
| CWE | CWE-918 |
| Confidence | HIGH |
| Impact | HIGH |
| Likelihood | MEDIUM |
| Exploitability | EASY |
| Tags | ssrf, server-side request forgery |
| OWASP | A10:2021-Server-Side Request Forgery |