[Security Fix] SAST: User-controlled url query parameter is fetched server-side and response bod...#412
Open
okaypatrick wants to merge 1 commit into
Open
Conversation
…de and response body is reflected, enablin The handler concatenated the user-controlled `req.query.url` with `req.query.symbol` and passed the result to `needle.get`, then reflected the response body to the client. An attacker could point `url` at internal services such as the cloud instance metadata endpoint (e.g. `http://169.254.169.254/latest/meta-data/`) and receive the response, leaking credentials and enabling SSRF. The fix introduces a small allow-list of permitted upstream research providers and rejects any request whose `url` p
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Security Fix
Type: SAST
Generated by: AI-Powered Fix Generator
Finding: User-controlled
urlquery parameter is fetched server-side and response body is reflected, enabling SSRF and metadata exfiltration.Rule: claude-ssrf-research-url (oogway-scanner)
File:
app/routes/research.js(line 14)Severity: HIGH
Explanation
The handler concatenated the user-controlled
req.query.urlwithreq.query.symboland passed the result toneedle.get, then reflected the response body to the client. An attacker could pointurlat internal services such as the cloud instance metadata endpoint (e.g.http://169.254.169.254/latest/meta-data/) and receive the response, leaking credentials and enabling SSRF.The fix introduces a small allow-list of permitted upstream research providers and rejects any request whose
urlparameter is not on the list before performing the outbound HTTP call. Thesymbolis also URL-encoded to avoid breaking the allow-list contract by smuggling additional URL components. Existing functionality (rendering the research page and fetching from approved providers) is preserved.Changes
app/routes/research.js: Restrict the server-side fetch to an allow-list of trusted research provider URLs and URL-encode the symbol. This prevents an attacker from supplying an arbitraryurlquery parameter (e.g. http://169.254.169.254/latest/meta-data/) and having the server fetch and reflect its response, eliminating the SSRF / cloud-metadata exfiltration vector.Test Suggestions
Breaking Changes
urlvalue other than the allow-listed providers will now receive HTTP 400 instead of being proxied. Consumers depending on arbitraryurlvalues must use a permitted entry or have it added to ALLOWED_RESEARCH_URLS.