stackoom
  简体   繁体   中英

Getting Server-Side Request Forgery (SSRF) (CWE ID 918) restTemplate.getForEntity

 原文  2021-01-12 07:01:02       java/ spring-boot/ resttemplate/ veracode/ ssrf

Question

I am using restTemplate for synchronous inter-service communication in a microservices architecture.

When we completed Veracode scan, we are getting Server-Side Request Forgery (SSRF) (CWE ID 918) in getForEntity method.

restTemplate.getForEntity(URL, Entity.class);

Not sure why I am getting this SSRF issue?.
What would be the possible fix for this?

1 answers

solution1
 1 ACCPTED  2021-06-03 09:30:29

I have fixed this issue by build the URL using UriComponents before using it in restTemplate.

UriComponents uriComponents = UriComponentsBuilder.newInstance()
  .scheme("http").host("www.yourdomain.com").path("/yourPath").build();

Please refer this link to use UriComponents https://www.baeldung.com/spring-uricomponentsbuilder

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question Security - URLConnection Server-Side Request Forgery (SSRF) and File Disclosure How to fix "Server-Side Request Forgery" issue in spring restTemplate RestTemplate.getForEntity will remove file extension? restTemplate.getForEntity() get connect timed out Server Side Request Forgery vulnerability restTemplate.getForEntity when reading data that contains a list with single element gives Exception Resttemplate getForEntity - Pass headers RestTemplate getForEntity method undefined RestTemplate getForEntity map to list of objects server-side programming
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM