Overview
SSRF vulnerabilities allow an attacker to trick your Go Gin service into making HTTP requests to resources the attacker controls or that are private. In real deployments, this can enable access to internal services, cloud metadata endpoints, or other sensitive infrastructure, leading to credential leakage, token theft, or lateral movement. In cloud-native environments, an attacker may use SSRF to reach instance metadata services (for example 169.254.169.254) or internal dashboards, potentially compromising the entire environment. Exploitation can occur even with seemingly innocuous features like image fetch, URL fetch in webhook handlers, or data integration endpoints.
Within Gin handlers, SSRF typically manifests when a handler accepts a user-supplied URL and then fetches it using the net/http package (for example http.Get or a shared http.Client) without validating the destination. If redirects or proxies are allowed, the request can hop to private networks, intranet services, or external services that are not meant to be reachable from the public API surface. This pattern is common in webhook fetchers, image fetchers, or data-integration endpoints.
To remediate, enforce strict outbound-request controls and URL validation in Go (Gin) apps. Use allowlists for hosts or DNS-resolved IP ranges, reject non http/https schemes, block private or internal IPs, and set conservative timeouts. Create a dedicated http.Client with a custom Transport that limits proxies, TLS settings, and redirects. Add tests that simulate SSRF attempts and monitor outbound traffic for anomalies.
Code Fix Example
Go (Gin) API Security Remediation
package main
import (
"net"
"net/http"
"net/url"
"time"
"io"
"github.com/gin-gonic/gin"
)
func main() {
r := gin.Default()
r.GET("/vuln/fetch", vulnerableFetch)
r.GET("/fix/fetch", safeFetch)
r.Run(":8080")
}
func vulnerableFetch(c *gin.Context) {
raw := c.Query("url")
if raw == "" {
c.JSON(400, gin.H{"error": "url parameter required"})
return
}
resp, err := http.Get(raw)
if err != nil {
c.JSON(500, gin.H{"error": err.Error()})
return
}
defer resp.Body.Close()
body, _ := io.ReadAll(resp.Body)
c.Data(resp.StatusCode, resp.Header.Get("Content-Type"), body)
}
func safeFetch(c *gin.Context) {
raw := c.Query("url")
if raw == "" {
c.JSON(400, gin.H{"error": "url parameter required"})
return
}
u, err := url.Parse(raw)
if err != nil || (u.Scheme != "http" && u.Scheme != "https") {
c.JSON(400, gin.H{"error": "invalid url"})
return
}
ok, _ := isURLAllowed(u)
if !ok {
c.JSON(403, gin.H{"error": "URL not allowed"})
return
}
transport := http.DefaultTransport.Clone()
client := &http.Client{ Timeout: 10 * time.Second, Transport: transport }
resp, err := client.Get(raw)
if err != nil {
c.JSON(500, gin.H{"error": err.Error()})
return
}
defer resp.Body.Close()
body, _ := io.ReadAll(resp.Body)
c.Data(resp.StatusCode, resp.Header.Get("Content-Type"), body)
}
func isURLAllowed(u *url.URL) (bool, error) {
host := u.Hostname()
ips, err := net.LookupIP(host)
if err != nil {
return false, err
}
for _, ip := range ips {
if isPrivateIP(ip) {
return false, nil
}
}
return true, nil
}
func isPrivateIP(ip net.IP) bool {
if ip4 := ip.To4(); ip4 != nil {
switch {
case ip4[0] == 10:
return true
case ip4[0] == 172 && ip4[1] >= 16 && ip4[1] <= 31:
return true
case ip4[0] == 192 && ip4[1] == 168:
return true
case ip4[0] == 127:
return true
default:
return false
}
} else {
b := ip.To16()
if b == nil {
return false
}
// IPv6 private ranges: fc00::/7 and fe80::/10 (link-local)
if b[0] == 0xfc || b[0] == 0xfd {
return true
}
if b[0] == 0xfe && (b[1]&0xc0) == 0x80 {
return true
}
if ip.Equal(net.ParseIP("::1")) {
return true
}
}
return false
}