Server Side Request Forgery (SSRF) via Unvalidated User Input in Net::HTTP Methods
Description
The application includes unvalidated user input into Net::HTTP methods, which could lead to HTTP Parameter Pollution (HPP) or Server Side Request Forgery (SSRF). Using untrusted input in such a manner without proper validation and sanitization can lead to a variety of security vulnerabilities, including SSRF, injection attacks, unintended data leaks, and unauthorized actions being performed on behalf of the attacker.
Examples
Insecure Code
ruby
Net::HTTP.get(params[:url])Secure Code
ruby
require 'uri'; uri = URI.parse(user_input); response = Net::HTTP.get(uri) if uri.scheme.match?(/\Ahttps?\z/) && uri.host == 'www.abc.com'Remediation
Validate and sanitize user-controlled input against a strict set of rules (e.g., expected data types, patterns, and lengths) before using it in HTTP requests. Consider using higher-level abstractions or frameworks that automatically handle some of these concerns.
Rule Details
| Field | Value |
|---|---|
| ID | CODE-0537 |
| Category | Injection |
| Severity | MEDIUM |
| CWE | CWE-918 |
| Confidence | HIGH |
| Impact | HIGH |
| Likelihood | MEDIUM |
| Exploitability | MODERATE |
| Tags | SSRF, HPP, injection |
| OWASP | A1:2017-Injection, A10:2021-Server-Side Request Forgery |