OeditusCredo.Check.Security.SSRFVulnerability
(OeditusCredo v0.6.1)
View Source
Basics
This check is disabled by default.
Learn how to enable it via .credo.exs.
This check has a base priority of higher and works with any version of Elixir.
Explanation
Detects potential Server-Side Request Forgery vulnerabilities (CWE-918).
Making outbound HTTP requests to user-controlled URLs can expose internal services and metadata endpoints.
Bad:
HTTPoison.get(params["url"])
Req.get(url: user_url)
Tesla.get(client, user_url)Good:
# validate host/domain against allowlist before request
uri = URI.parse(url)
if uri.host in @allowed_hosts, do: HTTPoison.get(url)Check-Specific Parameters
Use the following parameters to configure this check:
:exclude_test_files
Set to true to skip test files (default: false)
This parameter defaults to nil.
:extra_http_modules
Additional HTTP module atom lists to check, e.g. [[:MyHTTP]] (default: [])
This parameter defaults to nil.
General Parameters
Like with all checks, general params can be applied.
Parameters can be configured via the .credo.exs config file.