SSRF (Server-Side Request Forgery)

Your server fetches a URL that came from user input, and the URL points at internal infrastructure: cloud metadata, localhost, RFC 1918 ranges. validateUrl blocks the obvious cases plus encoding tricks; validateUrlAsync closes the DNS TOCTOU window.

What it catches

• Private IP ranges: 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16
• Loopback: 127.0.0.0/8, ::1
• Link-local: 169.254.0.0/16, fe80::/10
• Cloud metadata: 169.254.169.254 (AWS), metadata.google.internal (GCP), metadata.azure.internal (Azure)
• IP encoding tricks: decimal (2130706433), octal (0177.0.0.1), hex (0x7f000001), IPv6-mapped (::ffff:127.0.0.1)
• Dangerous protocols: file://, gopher://, dict://, ftp://
• DNS TOCTOU: the hostname resolves to a public IP at validation time but a private IP at fetch time (validateUrlAsync + pinnedDnsLookup)

Sample payload

// Before
"http://169.254.169.254/latest/meta-data/iam/security-credentials/"

// validateUrl(url) returns false; in middleware, this raises
// vector=ssrf, rule=patterns.ssrf.cloud-metadata

Configuration

import { validateUrl, validateUrlAsync, safeFollowRedirect } from '@arcis/node';

// Sync, fast: pattern + IP-range checks
if (!validateUrl(user_url)) { res.status(400).send(); return; }

// Async, DNS-aware: closes the TOCTOU window
const ok = await validateUrlAsync(user_url);

// Manual redirect chain following with pinned DNS
const resp = await safeFollowRedirect(user_url);

Disable

The detector is opt-in. Call validateUrl wherever you fetch a URL provided by the user. There is no global disable.

References

• OWASP SSRF
• CWE-918