Skip to content

Cover NestJS SSRF with vulnerable and safe fixtures #17

Description

@malik111110

Outcome

PF-NESTJS-SSRF-001 documents its source-to-sink expectation with focused positive and negative cases.

Maintainer guidance

Use the existing NestJS test helpers and keep the snippets minimal. A safe case may use a fixed upstream URL or explicit allowlist validation that the current safe-pattern model understands.

Acceptance criteria

  • Add a controller case that sends request-controlled input to the HTTP client sink.
  • Assert the finding ID is PF-NESTJS-SSRF-001.
  • Add a constant or validated-destination safe case.
  • Assert the safe case produces no PF-NESTJS-SSRF-001 finding.
  • Tests use source snippets only and make no network request.
  • go test ./internal/sast/frameworks/nestjs -count=1 passes.
  • gofmt produces no diff.

Scope

Start with internal/sast/frameworks/nestjs/pack_test.go and internal/sast/frameworks/nestjs/rules.go. Refs #7.

Metadata

Metadata

Assignees

No one assigned

    Labels

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions