generic.nginx.security.missing-internal.missing-internal
Community Favorite

Author
75,967
Download Count*
License
This location block contains a 'proxy_pass' directive but does not contain the 'internal' directive. The 'internal' directive restricts access to this location to internal requests. Without 'internal', an attacker could use your server for server-side request forgeries (SSRF). Include the 'internal' directive in this block to limit exposure.
Run Locally
Run in CI
Defintion
rules:
- id: missing-internal
options:
generic_ellipsis_max_span: 0
generic_engine: aliengrep
patterns:
- pattern-inside: |
location ... {
....
....
}
- pattern-not-inside: |
location ... {
....
internal;
....
}
- pattern: proxy_pass $...URL;
- metavariable-regex:
metavariable: $...URL
regex: (.*\$.*)
paths:
include:
- "*.conf"
- "*.vhost"
- sites-available/*
- sites-enabled/*
languages:
- generic
severity: WARNING
message: This location block contains a 'proxy_pass' directive but does not
contain the 'internal' directive. The 'internal' directive restricts
access to this location to internal requests. Without 'internal', an
attacker could use your server for server-side request forgeries (SSRF).
Include the 'internal' directive in this block to limit exposure.
metadata:
cwe:
- "CWE-16: CWE CATEGORY: Configuration"
references:
- https://github.com/yandex/gixy/blob/master/docs/en/plugins/ssrf.md
- https://nginx.org/en/docs/http/ngx_http_core_module.html#internal
category: security
technology:
- nginx
confidence: LOW
owasp:
- A06:2017 - Security Misconfiguration
- A05:2021 - Security Misconfiguration
subcategory:
- audit
likelihood: LOW
impact: LOW
license: Commons Clause License Condition v1.0[LGPL-2.1-only]
vulnerability_class:
- Other
Examples
missing-internal.conf
server {
location ~ /proxy/(.*)/(.*)/(.*)$ {
# ruleid: missing-internal
proxy_pass $1://$2/$3;
}
}
server {
location / {
# ok: missing-internal
proxy_pass http://127.0.0.1:8000/;
}
}
server {
location ~ /proxy/(.*)/(.*)/(.*)$ {
internal;
# ok: missing-internal
proxy_pass $1://$2/$3;
}
}
server {
location / {
# ok: missing-internal
proxy_pass http:/backend:42/;
set $false 'positive';
}
}
Short Link: https://sg.run/Q5px