Skip to content

Add secure-code-review SSRF URL validation gates#1704

Open
yanziwei wants to merge 1 commit into
UnitOneAI:mainfrom
yanziwei:improve/secure-code-review-ssrf-url-gates
Open

Add secure-code-review SSRF URL validation gates#1704
yanziwei wants to merge 1 commit into
UnitOneAI:mainfrom
yanziwei:improve/secure-code-review-ssrf-url-gates

Conversation

@yanziwei
Copy link
Copy Markdown

@yanziwei yanziwei commented Jun 8, 2026

Skill Improvement ($50-150 Bounty)

Skill

skills/appsec/secure-code-review/SKILL.md

Closes #1702.

What Was Wrong

secure-code-review included a basic SSRF example and checklist item, but did not require evidence for common bypass paths: URL parser differentials, redirects without revalidation, DNS rebinding, alternate IP encodings, IPv6/link-local/private ranges, or cloud metadata endpoint denial.

What This PR Fixes

  • Adds SSRF URL Canonicalization and Redirect Review under Step 8.
  • Requires URL source, validation parser, HTTP-client parser, scheme policy, host allowlist, DNS resolution point, IP filters, redirect policy, destination pinning, and timeout/size limit evidence.
  • Adds SCR-SSRF-01 through SCR-SSRF-07 for parser differentials, redirect gaps, DNS rebinding, weak IP filtering, metadata endpoints, alternate IP encodings, and protocol confusion.
  • Updates the SSRF checklist item to require canonical parsing, redirect revalidation, DNS/IP checks, and metadata endpoint deny rules.
  • Adds an SSRF URL Fetch Review output table.
  • Adds a common pitfall warning against treating SSRF as a single allowlist check.
  • Adds OWASP SSRF Prevention Cheat Sheet and CWE-918 references.

Test Cases

  • Validation parser and HTTP client disagree on the canonical host: should trigger SCR-SSRF-01.
  • Initial URL is allowlisted but redirects to link-local metadata service: should trigger SCR-SSRF-02 and SCR-SSRF-05.
  • Hostname resolves public during validation and private during fetch: should trigger SCR-SSRF-03.
  • Decimal/octal/hex/IPv4-mapped IPv6 address bypasses a dotted IPv4 private-range filter: should trigger SCR-SSRF-04 or SCR-SSRF-06.

Validation

  • git diff --check
  • Confirmed the diff is scoped to skills/appsec/secure-code-review/SKILL.md.
  • Verified required markers are present: SSRF URL Canonicalization and Redirect Review, SCR-SSRF-01, SCR-SSRF-07, SSRF URL Fetch Review, and Treating SSRF as a single allowlist check.
  • Checked Markdown code fence balance.

Bounty Tier

Moderate ($100) - adds focused code-review evidence gates for SSRF false negatives and bypass patterns.

Bounty Info

  • I have read and agree to CONTRIBUTING.md bounty terms.
  • Preferred payment method: PayPal 1005150221@qq.com

@yanziwei yanziwei mentioned this pull request Jun 8, 2026
Open
1 task
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

[REVIEW] secure-code-review: add SSRF URL parser and redirect revalidation gates

1 participant

@yanziwei