php.lang.security.injection.tainted-url-host.tainted-url-host
semgrepAuthor
unknown
Download Count*
License
User data flows into the host portion of this manually-constructed URL. This could allow an attacker to send data to their own server, potentially exposing sensitive data such as cookies or authorization information sent with this request. They could also probe internal servers or other resources that the server runnig this code can access. (This is called server-side request forgery, or SSRF.) Do not allow arbitrary hosts. Instead, create an allowlist for approved hosts hardcode the correct host.
Run Locally
Run in CI
Defintion
rules:
- id: tainted-url-host
languages:
- php
severity: WARNING
message: User data flows into the host portion of this manually-constructed URL.
This could allow an attacker to send data to their own server, potentially
exposing sensitive data such as cookies or authorization information sent
with this request. They could also probe internal servers or other
resources that the server runnig this code can access. (This is called
server-side request forgery, or SSRF.) Do not allow arbitrary hosts.
Instead, create an allowlist for approved hosts hardcode the correct host.
metadata:
cwe:
- "CWE-918: Server-Side Request Forgery (SSRF)"
owasp:
- A10:2021 - Server-Side Request Forgery (SSRF)
references:
- https://cheatsheetseries.owasp.org/cheatsheets/Server_Side_Request_Forgery_Prevention_Cheat_Sheet.html
category: security
technology:
- php
license: Commons Clause License Condition v1.0[LGPL-2.1-only]
cwe2022-top25: true
cwe2021-top25: true
subcategory:
- vuln
impact: MEDIUM
likelihood: MEDIUM
confidence: MEDIUM
vulnerability_class:
- Server-Side Request Forgery (SSRF)
mode: taint
pattern-sources:
- patterns:
- pattern-either:
- pattern: $_GET
- pattern: $_POST
- pattern: $_COOKIE
- pattern: $_REQUEST
pattern-sinks:
- pattern-either:
- patterns:
- pattern: |
sprintf($URLSTR, ...)
- metavariable-pattern:
metavariable: $URLSTR
language: generic
pattern: $SCHEME://%s
- patterns:
- pattern: |
"...{$EXPR}..."
- pattern-regex: |
.*://\{.*
- patterns:
- pattern: |
"...$EXPR..."
- pattern-regex: |
.*://\$.*
- patterns:
- pattern: |
"...".$EXPR
- pattern-regex: |
.*://["'].*
Examples
tainted-url-host.php
<?php
function make_request($url) {
$ch = curl_init($url);
curl_setopt($ch, CURLOPT_HEADER, 0);
$data = curl_exec($ch);
curl_close($ch);
return $data;
}
// True Positives
function test1() {
// ruleid: tainted-url-host
$url = 'https://'.$_GET['url'].'/foobar';
$info = make_request($url);
return $info;
}
function test2() {
$part = $_POST['url'];
// ruleid: tainted-url-host
$url = "https://$part/foobar";
$info = make_request($url);
return $info;
}
function test3() {
// ruleid: tainted-url-host
$url = "https://{$_REQUEST['url']}/foobar";
$info = make_request($url);
return $info;
}
function test4() {
// ruleid: tainted-url-host
$url = sprintf('https://%s/%s/', $_COOKIE['foo'], $bar);
$info = make_request($url);
return $info;
}
// True Negatives
function test1() {
// ok: tainted-url-host
$url = 'https://www.google.com/'.$_GET['url'].'/foobar';
$info = make_request($url);
return $info;
}
function test2() {
$part = $_POST['url'];
// ok: tainted-url-host
$url = "some random text /$part/ foobar";
$info = make_request($url);
return $info;
}
function test3() {
// ok: tainted-url-host
$url = "https://www.google.com/{$_REQUEST['url']}/foobar";
$info = make_request($url);
return $info;
}
function test4() {
// ok: tainted-url-host
$url = sprintf('some random format string %s %s', $_COOKIE['foo'], $bar);
$info = make_request($url);
return $info;
}
Short Link: https://sg.run/Y8no