generic.nginx.security.missing-internal.missing-internal

Community Favorite
profile photo of semgrepsemgrep
Author
75,967
Download Count*
LGPL Commons Clause
License

This location block contains a 'proxy_pass' directive but does not contain the 'internal' directive. The 'internal' directive restricts access to this location to internal requests. Without 'internal', an attacker could use your server for server-side request forgeries (SSRF). Include the 'internal' directive in this block to limit exposure.

Run Locally

Run in CI

Semgrep CI docs

Defintion

Edit RuleView Source
Open in Playground 
rules:
  - id: missing-internal
    options:
      generic_ellipsis_max_span: 0
      generic_engine: aliengrep
    patterns:
      - pattern-inside: |
          location ... {
            ....
            ....
          }
      - pattern-not-inside: |
          location ... {
            ....
            internal;
            ....
          }
      - pattern: proxy_pass $...URL;
      - metavariable-regex:
          metavariable: $...URL
          regex: (.*\$.*)
    paths:
      include:
        - "*.conf"
        - "*.vhost"
        - sites-available/*
        - sites-enabled/*
    languages:
      - generic
    severity: WARNING
    message: This location block contains a 'proxy_pass' directive but does not
      contain the 'internal' directive. The 'internal' directive restricts
      access to this location to internal requests. Without 'internal', an
      attacker could use your server for server-side request forgeries (SSRF).
      Include the 'internal' directive in this block to limit exposure.
    metadata:
      cwe:
        - "CWE-16: CWE CATEGORY: Configuration"
      references:
        - https://github.com/yandex/gixy/blob/master/docs/en/plugins/ssrf.md
        - https://nginx.org/en/docs/http/ngx_http_core_module.html#internal
      category: security
      technology:
        - nginx
      confidence: LOW
      owasp:
        - A06:2017 - Security Misconfiguration
        - A05:2021 - Security Misconfiguration
      subcategory:
        - audit
      likelihood: LOW
      impact: LOW
      license: Commons Clause License Condition v1.0[LGPL-2.1-only]
      vulnerability_class:
        - Other

Examples

missing-internal.conf

server {
    location ~ /proxy/(.*)/(.*)/(.*)$ {
        # ruleid: missing-internal
        proxy_pass $1://$2/$3;
    }
}

server {
    location / {
        # ok: missing-internal
        proxy_pass http://127.0.0.1:8000/;
    }
}

server {
    location ~ /proxy/(.*)/(.*)/(.*)$ {
        internal;
        # ok: missing-internal
        proxy_pass $1://$2/$3;
    }
}

server {
    location / {
        # ok: missing-internal
        proxy_pass  http:/backend:42/;
        set         $false  'positive';
    }
}