generic.nginx.security.missing-internal.missing-internal

Community Favorite
profile photo of returntocorpreturntocorp
Author
75,967
Download Count*

This location block contains a 'proxy_pass' directive but does not contain the 'internal' directive. The 'internal' directive restricts access to this location to internal requests. Without 'internal', an attacker could use your server for server-side request forgeries (SSRF). Include the 'internal' directive in this block to limit exposure.

Run Locally

Run in CI

Defintion

rules:
  - id: missing-internal
    patterns:
      - pattern-inside: |
          location ... {
            ...
            ...
          }
      - pattern-not-inside: |
          location ... {
            ...
            internal;
            ...
          }
      - pattern: proxy_pass ...$...;
    paths:
      include:
        - "*.conf"
        - "*.vhost"
        - sites-available/*
        - sites-enabled/*
    languages:
      - generic
    severity: WARNING
    message: This location block contains a 'proxy_pass' directive but does not
      contain the 'internal' directive. The 'internal' directive restricts
      access to this location to internal requests. Without 'internal', an
      attacker could use your server for server-side request forgeries (SSRF).
      Include the 'internal' directive in this block to limit exposure.
    metadata:
      cwe:
        - "CWE-16: CWE CATEGORY: Configuration"
      references:
        - https://github.com/yandex/gixy/blob/master/docs/en/plugins/ssrf.md
        - https://nginx.org/en/docs/http/ngx_http_core_module.html#internal
      category: security
      technology:
        - nginx
      confidence: LOW
      owasp:
        - A06:2017 - Security Misconfiguration
        - A05:2021 - Security Misconfiguration
      subcategory:
        - audit
      likelihood: LOW
      impact: LOW
      license: Commons Clause License Condition v1.0[LGPL-2.1-only]

Examples

missing-internal.conf

server {
    location ~ /proxy/(.*)/(.*)/(.*)$ {
        # ruleid: missing-internal
        proxy_pass $1://$2/$3;
    }
}

server {
    location / {
        # ok: missing-internal
        proxy_pass http://127.0.0.1:8000/;
    }
}

server {
    location ~ /proxy/(.*)/(.*)/(.*)$ {
        internal;
        # ok: missing-internal
        proxy_pass $1://$2/$3;
    }
}