Fix typos in SSRF query messages

java/spring/security/injection/tainted-url-host.yaml

@@ -8,9 +8,9 @@ rules:
     This could allow an attacker to send data to their own server,
     potentially exposing sensitive data such as cookies or authorization
     information sent with this request. They could also probe internal
-    servers or other resources that the server runnig this code can access.
+    servers or other resources that the server running this code can access.
     (This is called server-side request forgery, or SSRF.) Do not allow
-    arbitrary hosts. Instead, create an allowlist for approved hosts hardcode
+    arbitrary hosts. Instead, create an allowlist for approved hosts, hardcode
     the correct host, or ensure that the user data can only affect the path or parameters.
   options:
     interfile: true

php/lang/security/injection/tainted-url-host.yaml

@@ -8,10 +8,10 @@ rules:
     to send data
     to their own server, potentially exposing sensitive data such as cookies or authorization information
     sent with this request.
-    They could also probe internal servers or other resources that the server runnig this code can access.
+    They could also probe internal servers or other resources that the server running this code can access.
     (This is called
     server-side request forgery, or SSRF.) Do not allow arbitrary hosts. Instead, create an allowlist
-    for approved hosts hardcode
+    for approved hosts, or hardcode
     the correct host.
   metadata:
     cwe:

python/django/security/injection/tainted-url-host.yaml

@@ -5,8 +5,8 @@ rules:
   message: User data flows into the host portion of this manually-constructed URL. This could allow an
     attacker to send data to their own server, potentially exposing sensitive data such as cookies or
     authorization information sent with this request. They could also probe internal servers or other
-    resources that the server runnig this code can access. (This is called server-side request forgery,
-    or SSRF.) Do not allow arbitrary hosts. Instead, create an allowlist for approved hosts hardcode the
+    resources that the server running this code can access. (This is called server-side request forgery,
+    or SSRF.) Do not allow arbitrary hosts. Instead, create an allowlist for approved hosts, or hardcode the
     correct host.
   metadata:
     cwe:

python/flask/security/injection/tainted-url-host.yaml

@@ -7,9 +7,9 @@ rules:
     This could allow an attacker to send data to their own server, potentially
     exposing sensitive data such as cookies or authorization information sent
     with this request. They could also probe internal servers or other
-    resources that the server runnig this code can access. (This is called
+    resources that the server running this code can access. (This is called
     server-side request forgery, or SSRF.) Do not allow arbitrary hosts.
-    Instead, create an allowlist for approved hosts hardcode the correct host.
+    Instead, create an allowlist for approved hosts, or hardcode the correct host.
   metadata:
     cwe:
     - 'CWE-918: Server-Side Request Forgery (SSRF)'

ruby/rails/security/injection/tainted-url-host.yaml

@@ -7,7 +7,7 @@ rules:
     This could allow an attacker to send data to their own server, potentially
     exposing sensitive data such as cookies or authorization information sent
     with this request. They could also probe internal servers or other resources
-    that the server runnig this code can access. (This is called server-side
+    that the server running this code can access. (This is called server-side
     request forgery, or SSRF.) Do not allow arbitrary hosts. Use the `ssrf_filter`
     gem and guard the url construction with `SsrfFilter(...)`, or create
     an allowlist for approved hosts.

scala/lang/security/audit/dispatch-ssrf.yaml

@@ -18,8 +18,8 @@ rules:
     A parameter being passed directly into `url` most likely lead to SSRF.
     This could allow an attacker to send data to their own server, potentially exposing sensitive data
     sent with this request.
-    They could also probe internal servers or other resources that the server runnig this code can access.
-    Do not allow arbitrary hosts. Instead, create an allowlist for approved hosts hardcode the correct
+    They could also probe internal servers or other resources that the server running this code can access.
+    Do not allow arbitrary hosts. Instead, create an allowlist for approved hosts, or hardcode the correct
     host.
   metadata:
     cwe:

scala/lang/security/audit/io-source-ssrf.yaml

@@ -20,8 +20,8 @@ rules:
     A parameter being passed directly into `fromURL` most likely lead to SSRF.
     This could allow an attacker to send data to their own server, potentially exposing sensitive data
     sent with this request.
-    They could also probe internal servers or other resources that the server runnig this code can access.
-    Do not allow arbitrary hosts. Instead, create an allowlist for approved hosts hardcode the correct
+    They could also probe internal servers or other resources that the server running this code can access.
+    Do not allow arbitrary hosts. Instead, create an allowlist for approved hosts, or hardcode the correct
     host.
   metadata:
     cwe:

scala/lang/security/audit/scalaj-http-ssrf.yaml

@@ -15,11 +15,11 @@ rules:
           ...
         }
   message: >-
-    A parameter being passed directly into `Http` most likely lead to SSRF.
+    A parameter being passed directly into `Http` can likely lead to SSRF.
     This could allow an attacker to send data to their own server, potentially exposing sensitive data
     sent with this request.
-    They could also probe internal servers or other resources that the server runnig this code can access.
-    Do not allow arbitrary hosts. Instead, create an allowlist for approved hosts hardcode the correct
+    They could also probe internal servers or other resources that the server running this code can access.
+    Do not allow arbitrary hosts. Instead, create an allowlist for approved hosts, or hardcode the correct
     host.
   metadata:
     cwe: