[REVIEW] secure-code-review: add SSRF URL parser and redirect revalidation gates

[yanziwei]

Skill Review ($25 Bounty)

Skill

skills/appsec/secure-code-review/SKILL.md

What needs improvement

secure-code-review includes a basic SSRF example and checklist item, but the current guidance is too shallow for modern SSRF code review. It says to validate scheme, reject private/internal IP ranges, and use an allowlist, but it does not require reviewers to check the bypass paths that commonly break those defenses.

Coverage gaps

• URL parser differentials: validation uses one parser but the HTTP client follows another interpretation.
• Redirect chains: the initial URL is validated, but 30x redirects are not revalidated before the follow-up request.
• DNS rebinding and time-of-check/time-of-use: hostname resolves to public IP at validation time and private/link-local IP at request time.
• Encoded or alternate IP formats: decimal, octal, hexadecimal, IPv6, IPv4-mapped IPv6, and dotted-integer forms bypass private-range filters.
• Cloud metadata endpoints: AWS/Azure/GCP metadata IPs and hostnames are not denied explicitly.
• Protocol and method confusion: redirects or user-controlled URLs move from HTTPS to HTTP, gopher/file schemes, or unexpected internal endpoints.

Suggested fix

Add focused SSRF evidence gates to Step 8:

• require a single canonical URL parse result shared by validation and fetch code;
• revalidate every redirect target before following it;
• resolve and pin final destination IPs, rejecting private, loopback, link-local, multicast, and cloud metadata ranges;
• document DNS rebinding protections and resolver behavior;
• reject alternate IP encodings and IPv4-mapped IPv6 forms;
• add findings/check IDs and output fields for parser consistency, redirect revalidation, DNS/IP validation, and metadata endpoint blocking.

References

• OWASP SSRF Prevention Cheat Sheet: https://cheatsheetseries.owasp.org/cheatsheets/Server_Side_Request_Forgery_Prevention_Cheat_Sheet.html
• CWE-918 Server-Side Request Forgery: https://cwe.mitre.org/data/definitions/918.html

Bounty Info

• I have read and agree to the CONTRIBUTING.md bounty terms.
• Preferred payment method: PayPal 1005150221@qq.com

[yanziwei]

Submitted PR: #1704

Implemented secure-code-review SSRF URL validation gates for parser consistency, redirect revalidation, DNS rebinding, IP range filtering, cloud metadata endpoint denial, alternate IP encodings, and protocol confusion.

Validation performed: git diff --check, scoped diff review, marker grep, and Markdown fence balance check.