Server-side request forgery (SSRF) in wkhtmltoimage
Description
This rule detects instances where user-controlled URLs are passed directly to the `generate` function of `wkhtmltoimage` library, potentially leading to Server Side Request Forgery (SSRF) vulnerabilities.
Examples
Insecure Code
javascript
wkhtmltoimage.generate(userInputUrl, { output: 'output.jpg' })Secure Code
javascript
if (allowedDomains.includes(parsedUrl.hostname)) { wkhtmltoimage.generate(userInputUrl, { output: 'output.jpg' }) }Remediation
Implement an allowlist for acceptable domains or schemes to ensure that URLs are safe and intended for public access. Consider using server-side proxy services that restrict outgoing requests to trusted domains and resources.
Rule Details
| Field | Value |
|---|---|
| ID | CODE-0414 |
| Category | Injection |
| Severity | MEDIUM |
| CWE | CWE-918 |
| Confidence | HIGH |
| Impact | HIGH |
| Likelihood | MEDIUM |
| Exploitability | EASY |
| Tags | SSRF, Server-side request forgery |
| OWASP | A1:2017-Injection, A10:2021-Server-Side Request Forgery |