Overview
SSRF (Server-Side Request Forgery) happens when a server fetches resources based on client input. In Go applications using Gin, endpoints that read a URL from a request parameter and perform an outbound HTTP request can be abused to reach internal services, cloud metadata endpoints, or other protected assets. An attacker does not need to break authentication to force the server to talk to internal hosts, which can lead to data exposure, selective scanning of the internal network, or access to services that should remain private. An attacker may leverage such weaknesses to enumerate internal hosts, access private endpoints, or retrieve sensitive data from internal systems. Note: this guide does not reference specific CVEs since none were provided in the prompt.
Code Fix Example
Go (Gin) API Security Remediation
package main
import (
"io"
"net/http"
"net/url"
"github.com/gin-gonic/gin"
)
func vulnerableProxy(c *gin.Context) {
target := c.Query("url")
resp, err := http.Get(target)
if err != nil {
c.String(http.StatusBadRequest, "error: %v", err)
return
}
defer resp.Body.Close()
c.Status(resp.StatusCode)
io.Copy(c.Writer, resp.Body)
}
func fixedProxy(c *gin.Context) {
target := c.Query("url")
u, err := url.Parse(target)
if err != nil {
c.String(http.StatusBadRequest, "invalid url")
return
}
if u.Scheme != "http" && u.Scheme != "https" {
c.String(http.StatusBadRequest, "unsupported scheme")
return
}
allowed := map[string]bool{
"example.com": true,
"api.internal": true,
}
if !allowed[u.Host] {
c.String(http.StatusForbidden, "host not allowed")
return
}
resp, err := http.Get(target)
if err != nil {
c.String(http.StatusBadRequest, "error: %v", err)
return
}
defer resp.Body.Close()
c.Status(resp.StatusCode)
io.Copy(c.Writer, resp.Body)
}
func main() {
r := gin.Default()
r.GET("/vuln-proxy", vulnerableProxy)
r.GET("/fix-proxy", fixedProxy)
r.Run()
}