# Unsanitized user input in HTTP request (SSRF)

## Overview

* **Rule ID**: `java_lang_http_url_using_user_input`
* **Applicable Languages**: Java
* **Weakness ID**: CWE-918

## Description

Including user input directly in HTTP request URLs can expose vulnerabilities to Server-Side Request Forgery (SSRF) attacks. This occurs when an attacker can manipulate the destination of an HTTP request initiated by the server.

## Remediation Guidelines

* **Avoid** concatenating or directly incorporating user input into URLs for HTTP requests. This practice can enable attackers to manipulate requests to unauthorized or malicious sites.

  ```java
  new URL(request.getParameter("someRandomUrl")).getContent(); // unsafe
  ```
* Instead, **validate** or map user inputs to predefined options before using them to construct URLs. This approach ensures that the application only requests URLs to known, safe destinations.

  ```java
  String url;
  if (request.getParameter("selectedUrl").equals("option1")) {
   url = "https://api1.com";
  } else {
   url = "https://api2.com";
  }
  ```

## References

* [**CWE-918: Server-Side Request Forgery (SSRF)**](https://cwe.mitre.org/data/definitions/918.html)
* [**OWASP Top 10: A10:2021 - Server-side Request Forgery (SSRF)**](https://owasp.org/Top10/A10_2021-Server-Side_Request_Forgery_\(SSRF\)/)

## Configuration

To omit this rule during a scan, and to provide you with continuous 24/7 code-level scanning, you can employ our [**SAST TOOL**](https://scopy.sec1.io/login)