hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-04-25 08:45:14 +02:00
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #18855 from Kwstubbs/ssrf_documentation

Browse Source 
Python: Add more documentation in regards to SSRF
This commit is contained in:
yoff
2025-03-12 15:27:01 +01:00
committed by GitHub
parent e79cb443da 04476ca5f4
commit a5101bdae6
1 changed files with 5 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files

7
python/ql/src/Security/CWE-918/ServerSideRequestForgery-end.inc.qhelp
View File

@@ -5,8 +5,11 @@
<recommendation>
<p>To guard against SSRF attacks you should avoid putting user-provided input directly
into a request URL. Instead, either maintain a list of authorized URLs on the server and choose
from that list based on the input provided, or perform proper validation of the input.
into a request URL. On the application level, maintain a list of authorized URLs on the server and choose
from that list based on the input provided. If that is not possible, one should verify the IP address for all user-controlled
requests to ensure they are not private. This requires saving the verified IP address of each domain,
then utilizing a custom HTTP adapter to ensure that future requests to that domain use the verified IP address.
On the network level, you can segment the vulnerable application into its own LAN or block access to specific devices.
</p>
</recommendation>