Rule Definition
Passing untrusted user input to network requests could be dangerous. If an attacker can fully control a HTTP request they could connect to internal services. Depending on the nature of these, this can pose a security risk. (e.g. backend services, admin interfaces, AWS metadata, ...)

Remediation
Mitigating SSRF vulnerabilities can be tricky. Disallowing IPs would likely not work as an attacker could create a malicious domain that points to an internal DNS name. Consider: - Having an allow list of domains that can be connected to. - Pointing cURL to a proxy that has no access to internal resources.

Violation Code Sample

<?php

function executeCurl(PDOStatement $stmt) {

    $stmt->execute();
    $row = $stmt->fetch();
    $url = $row["url"];    

    $ch = curl_init();
    curl_setopt($ch, CURLOPT_URL, $url);         // VIOLATION
    curl_exec($ch);
    curl_close($ch);

}

Fixed Code Sample

<?php

/**
* @psalm-taint-escape ssrf
*/
function my_escaping_function_for_urls(string input) : string {
    // Check that input is part of a hard-coded white-list of permitted domains
};

function executeCurl(PDOStatement $stmt) {

    $stmt->execute();
    $row = $stmt->fetch();
    $url = $row["url"];    
    $url = my_escaping_function_for_urls($url);  // FUNCTION ANNOTATED WITH "@psalm-taint-escape ssrf"

    $ch = curl_init();
    curl_setopt($ch, CURLOPT_URL, $url);         // FIXED
    curl_exec($ch);
    curl_close($ch);

}

CWE-918: Server-Side Request Forgery (SSRF) https://cwe.mitre.org/data/definitions/918 OWASP Wiki for Server Side Request Forgery https://owasp.org/www-community/attacks/Server_Side_Request_Forgery