Open clavedeluna opened 4 days ago
@drdavella same here, same line triggers multiple rules
tests/samples/flask_request.py
❯❯❱ python.django.security.injection.ssrf.ssrf-injection-requests.ssrf-injection-requests
Data from request object is passed to a new server-side request. This could lead to a
server-side request forgery (SSRF). To mitigate, ensure that schemes and hosts are
validated against an allowlist, do not forward the response to the user, and ensure
proper authentication and transport-layer security in the proxied request. See
https://owasp.org/www-community/attacks/Server_Side_Request_Forgery to learn more about
SSRF vulnerabilities.
Details: https://sg.run/YvY4
9┆ url = request.args["url"]
10┆ requests.get(url)
❯❯❱ python.flask.security.injection.ssrf-requests.ssrf-requests
Data from request object is passed to a new server-side request. This could lead to a
server-side request forgery (SSRF). To mitigate, ensure that schemes and hosts are
validated against an allowlist, do not forward the response to the user, and ensure
proper authentication and transport-layer security in the proxied request.
Details: https://sg.run/J9LW
10┆ requests.get(url)
@clavedeluna my initial feeling is that we should have a single codemod that handles both of these rules. Since we process the findings in series, one of them will be fixed before the other. By the time the second finding is processed, the code will already be fixed so there's no further changes. However, we should mark both findings as fixed, if possible.
This rule most closely aligns with our existing url_sandbox codemod, so we should add a semgrep codemod that uses that transformer.