/
http_url_using_user_input.yml
103 lines (99 loc) · 3.1 KB
/
http_url_using_user_input.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
languages:
- javascript
imports:
- javascript_shared_common_user_input
patterns:
- pattern: |
$<LIBRARY>.$<METHOD>($<USER_INPUT>$<...>)
filters:
- variable: USER_INPUT
detection: javascript_shared_common_user_input
scope: result
- variable: LIBRARY
values:
- axios
- http
- variable: METHOD
values:
- get
- post
- patch
- delete
- pattern: |
axios($<USER_INPUT_CONFIG>)
filters:
- variable: USER_INPUT_CONFIG
detection: javascript_lang_http_url_using_user_input_axios_object
scope: cursor
- pattern: |
fetch($<USER_INPUT>$<...>)
filters:
- variable: USER_INPUT
detection: javascript_shared_common_user_input
scope: result
- pattern: |
$<XML_HTTP>.open($<_>, $<USER_INPUT>$<...>)
filters:
- variable: XML_HTTP
detection: javascript_lang_http_url_using_user_input_xmlhttp
scope: cursor
- variable: USER_INPUT
detection: javascript_shared_common_user_input
scope: result
- pattern: |
request($<USER_INPUT>$<...>)
filters:
- variable: USER_INPUT
detection: javascript_shared_common_user_input
scope: result
- pattern: |
request.$<METHOD>($<USER_INPUT>$<...>)
filters:
- variable: METHOD
values:
- get
- head
- options
- post
- put
- patch
- del
- variable: USER_INPUT
detection: javascript_shared_common_user_input
scope: result
auxiliary:
- id: javascript_lang_http_url_using_user_input_axios_object
patterns:
- pattern: |
{ url: $<USER_INPUT> }
filters:
- variable: USER_INPUT
detection: javascript_shared_common_user_input
scope: result
- id: javascript_lang_http_url_using_user_input_xmlhttp
patterns:
- new XMLHttpRequest()
severity: high
metadata:
description: "Unsanitized user input in HTTP request (SSRF)"
remediation_message: |-
## Description
Constructing URLs based on user input puts your application at risk of Server-Side Request Forgery (SSRF) attacks. This vulnerability allows attackers to manipulate the application into making unintended HTTP requests.
## Remediations
- **Do not** directly incorporate user input into URLs for HTTP requests. This can lead to SSRF vulnerabilities.
```javascript
const response = axios.get(`https://${req.params.host}`) // unsafe
```
- **Do** validate or map user input against a predefined list of allowed values before using it to form URLs. This approach minimizes the risk of SSRF attacks.
```javascript
const hosts = new Map([
["option1", "api1.com"],
["option2", "api2.com"]
])
const host = hosts.get(req.params.host)
const response = axios.get(`https://${host}`)
```
cwe_id:
- 918
id: javascript_lang_http_url_using_user_input
documentation_url: https://docs.bearer.com/reference/rules/javascript_lang_http_url_using_user_input