How to fix "Server-Side Request Forgery" issue in spring restTemplate

Question

Getting "Server-Side Request Forgery" issue in Fortify report while using spring restTemplate.

I am making a call using restTemplate to some other REST service and passing this url from my controller class. The url is hardcoded in my controller and not user-controlled data.

HttpEntity<R> response = restTemplate.exchange(uri, HttpMethod.POST, entity,
parameterizedTypeReference);

Not sure how to fix this issue.

Answer 1

SSRF is exploited by an attacker controlling an outgoing request that the server is making. If uri is indeed hard-coded, then the attacker has no ability to influence where the request is going, so it would indeed look to be a false positive. However, although Fortify is known for false positives, I have not seen it make that type of mistake (i.e. claimed SSRF despite a hard-coded URI), so I am a bit surprised to hear it. Have you checked the whole source-to-sink trace that Fortify provides? If it is reporting only that one line as the source and sink, then yes it is a false positive. If there is more, then it would be helpful if you provided the full trace.

Answer 2

In my case, I get this Server-side request forgery alert in GitHub Code scanning.

Previous code I used restTemplate like this:

String uri = "https://my_url/{parm1}/product/{parm2}";
String finalUri = UriComponentsBuilder.fromHttpUrl(uri)
                .queryParam("name", "example")
                .buildAndExpand("paramValue1", "paramValue2")
                .toUriString();
restTemplate.exchange(finalUri, HttpMethod.GET, entity, String.class);

However always get Server-side request forgery from GitHub Code scanning.

Then I resolved like this:

String uri = "https://my_url/{parm1}/product/{parm2}?name={name}";
restTemplate.exchange(uri, HttpMethod.GET, entity,  String.class, "paramValue1", "paramValue2", "example");

Then actual request URL will be:

https://my_url/paramValue1/product/paramValue2?name=example