generic.nginx.security.dynamic-proxy-scheme.dynamic-proxy-scheme
Community Favorite
semgrepAuthor
49,043
Download Count*
License
The protocol scheme for this proxy is dynamically determined. This can be dangerous if the scheme can be injected by an attacker because it may forcibly alter the connection scheme. Consider hardcoding a scheme for this proxy.
Run Locally
Run in CI
Defintion
rules:
- id: dynamic-proxy-scheme
paths:
include:
- "*.conf"
- "*.vhost"
- sites-available/*
- sites-enabled/*
languages:
- generic
severity: WARNING
message: The protocol scheme for this proxy is dynamically determined. This can
be dangerous if the scheme can be injected by an attacker because it may
forcibly alter the connection scheme. Consider hardcoding a scheme for
this proxy.
metadata:
cwe:
- "CWE-16: CWE CATEGORY: Configuration"
references:
- https://github.com/yandex/gixy/blob/master/docs/en/plugins/ssrf.md
category: security
technology:
- nginx
confidence: MEDIUM
owasp:
- A06:2017 - Security Misconfiguration
- A05:2021 - Security Misconfiguration
subcategory:
- audit
likelihood: LOW
impact: LOW
license: Commons Clause License Condition v1.0[LGPL-2.1-only]
vulnerability_class:
- Other
pattern: proxy_pass $$SCHEME:// ...;
Examples
dynamic-proxy-scheme.conf
server {
listen 443 ssl;
server_name www.example.com;
keepalive_timeout 70;
ssl_certificate www.example.com.crt;
ssl_certificate_key www.example.com.key;
location ~ /proxy/(.*)/(.*)/(.*)$ {
# ruleid: dynamic-proxy-scheme
proxy_pass $1://$2/$3;
}
location ~* ^/internal-proxy/(?<proxy_proto>https?)/(?<proxy_host>.*?)/(?<proxy_path>.*)$ {
internal;
# ruleid: dynamic-proxy-scheme
proxy_pass $proxy_proto://$proxy_host/$proxy_path ;
proxy_set_header Host $proxy_host;
}
location ~ /proxy/(.*)/(.*)/(.*)$ {
# ok: dynamic-proxy-scheme
proxy_pass http://$2/$3/$1;
}
location ~ /proxy/(.*)/(.*)/(.*)$ {
# ok: dynamic-proxy-scheme
proxy_pass https://$1/$2/$3;
}
}
Short Link: https://sg.run/EkAo