http_url_using_user_input.yml

languages:
  - javascript
imports:
  - javascript_shared_common_user_input
patterns:
  - pattern: |
      $<LIBRARY>.$<METHOD>($<USER_INPUT>$<...>)
    filters:
      - variable: USER_INPUT
        detection: javascript_shared_common_user_input
        scope: result
      - variable: LIBRARY
        values:
          - axios
          - http
      - variable: METHOD
        values:
          - get
          - post
          - patch
          - delete
  - pattern: |
      axios($<USER_INPUT_CONFIG>)
    filters:
      - variable: USER_INPUT_CONFIG
        detection: javascript_lang_http_url_using_user_input_axios_object
        scope: cursor
  - pattern: |
      fetch($<USER_INPUT>$<...>)
    filters:
      - variable: USER_INPUT
        detection: javascript_shared_common_user_input
        scope: result
  - pattern: |
      $<XML_HTTP>.open($<_>, $<USER_INPUT>$<...>)
    filters:
      - variable: XML_HTTP
        detection: javascript_lang_http_url_using_user_input_xmlhttp
        scope: cursor
      - variable: USER_INPUT
        detection: javascript_shared_common_user_input
        scope: result
  - pattern: |
      request($<USER_INPUT>$<...>)
    filters:
      - variable: USER_INPUT
        detection: javascript_shared_common_user_input
        scope: result
  - pattern: |
      request.$<METHOD>($<USER_INPUT>$<...>)
    filters:
      - variable: METHOD
        values:
          - get
          - head
          - options
          - post
          - put
          - patch
          - del
      - variable: USER_INPUT
        detection: javascript_shared_common_user_input
        scope: result
auxiliary:
  - id: javascript_lang_http_url_using_user_input_axios_object
    patterns:
      - pattern: |
          { url: $<USER_INPUT> }
        filters:
          - variable: USER_INPUT
            detection: javascript_shared_common_user_input
            scope: result
  - id: javascript_lang_http_url_using_user_input_xmlhttp
    patterns:
      - new XMLHttpRequest()
severity: high
metadata:
  description: "Unsanitized user input in HTTP request (SSRF)"
  remediation_message: |-
    ## Description

    Constructing URLs based on user input puts your application at risk of Server-Side Request Forgery (SSRF) attacks. This vulnerability allows attackers to manipulate the application into making unintended HTTP requests.

    ## Remediations

    - **Do not** directly incorporate user input into URLs for HTTP requests. This can lead to SSRF vulnerabilities.
      ```javascript
      const response = axios.get(`https://${req.params.host}`) // unsafe
      ```
    - **Do** validate or map user input against a predefined list of allowed values before using it to form URLs. This approach minimizes the risk of SSRF attacks.
      ```javascript
      const hosts = new Map([
        ["option1", "api1.com"],
        ["option2", "api2.com"]
      ])

      const host = hosts.get(req.params.host)
      const response = axios.get(`https://${host}`)
      ```
  cwe_id:
    - 918
  id: javascript_lang_http_url_using_user_input
  documentation_url: https://docs.bearer.com/reference/rules/javascript_lang_http_url_using_user_input