php.lang.security.php-ssrf.php-ssrf

profile photo of semgrepsemgrep
Author
unknown
Download Count*
LGPL Commons Clause
License

The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination. Dangerous function $FUNCS with payload $DATA

Run Locally

Run in CI

Semgrep CI docs

Defintion

Edit RuleView Source
Open in Playground 
rules:
  - id: php-ssrf
    patterns:
      - pattern-either:
          - pattern: |
              $VAR=$DATA;
              ...
              $FUNCS(...,$VAR, ...);
          - pattern: $FUNCS(...,$DATA, ...);
      - metavariable-pattern:
          metavariable: $DATA
          patterns:
            - pattern-either:
                - pattern: $_GET
                - pattern: $_POST
                - pattern: $_COOKIE
                - pattern: $_REQUEST
      - metavariable-pattern:
          metavariable: $FUNCS
          patterns:
            - pattern-either:
                - pattern: curl_setopt
                - pattern: fopen
                - pattern: file_get_contents
                - pattern: curl_init
                - pattern: readfile
    message: The web server receives a URL or similar request from an upstream
      component and retrieves the contents of this URL, but it does not
      sufficiently ensure that the request is being sent to the expected
      destination. Dangerous function $FUNCS with payload $DATA
    metadata:
      references:
        - https://cheatsheetseries.owasp.org/cheatsheets/Server_Side_Request_Forgery_Prevention_Cheat_Sheet.html
      license: Commons Clause License Condition v1.0[LGPL-2.1-only]
      cwe:
        - "CWE-918: Server-Side Request Forgery (SSRF)"
      category: security
      technology:
        - php
      owasp:
        - A10:2021 - Server-Side Request Forgery (SSRF)
      cwe2022-top25: true
      subcategory:
        - audit
      likelihood: LOW
      impact: HIGH
      confidence: LOW
      vulnerability_class:
        - Server-Side Request Forgery (SSRF)
    languages:
      - php
    severity: ERROR

Examples

php-ssrf.php

<?php

    function test1(){
 	//ruleid: php-ssrf
        $ch = curl_init($_GET['r']);
    }

    function test2(){
        //ruleid: php-ssrf
	$url = $_GET['r'];
        $ch = curl_init($url);
    }

    function test3(){
        $ch = curl_init();
        //ruleid: php-ssrf
        curl_setopt($ch, CURLOPT_URL, $_POST['image_url']);
    }

    function test4(){
        $ch = curl_init();
        //ruleid: php-ssrf
        $url = $_GET['r'];
        curl_setopt($ch, CURLOPT_URL, $url);
    }

    function test5(){
        //ruleid: php-ssrf
        $url = $_GET['r'];
        $file = fopen($url, 'rb');
    }

    function test6(){
        //ruleid: php-ssrf
        $file = fopen($_POST['r'], 'rb');
    }

    function test7(){
        //ruleid: php-ssrf
        $url = $_POST['r'];
        $file = file_get_contents($url);
    }

    function test8(){
        //ruleid: php-ssrf
        $file = file_get_contents($_POST['r']);
    }

    function test9(){
        //ok: php-ssrf
        $file = file_get_contents("index.php");
    }

    function test10(){
        //ok: php-ssrf
        $url = $_POST['r'];
        $file = fopen("/tmp/test.txt", 'rb');
    }

?>