GuardAPI Logo
GuardAPI

Fix SSRF (Server Side Request Forgery) in CherryPy

SSRF (Server-Side Request Forgery) in CherryPy occurs when an endpoint accepts a user-controlled URL and fetches its content without validation. This allows attackers to pivot into internal networks, hit cloud metadata services (like 169.254.169.254), or bypass firewalls by making the server act as a proxy.

The Vulnerable Pattern

import cherrypy
import requests

class VulnerableApp:
@cherrypy.expose
def fetch_resource(self, url):
# CRITICAL: User input ‘url’ is passed directly to requests
# Attacker can pass ‘http://localhost:8080/admin’ or ‘http://169.254.169.254/’
response = requests.get(url)
return response.content


if name == ‘main’:
cherrypy.quickstart(VulnerableApp())

The Secure Implementation

The fix implements a defense-in-depth strategy. First, we use 'urlparse' to break the input into components. We strictly enforce 'http' or 'https' to prevent 'file://' or 'gopher://' attacks. Second, we implement a strict allowlist ('ALLOWED_DOMAINS') to ensure the server only communicates with known-good entities. Finally, we set a 'timeout' and disable 'allow_redirects' to prevent an attacker from bypassing the domain check via a 301/302 redirect from a trusted host to an internal one.

import cherrypy
import requests
from urllib.parse import urlparse

ALLOWED_DOMAINS = [‘api.trusted.com’, ‘assets.trusted.com’]


class SecureApp:
@cherrypy.expose
def fetch_resource(self, url):
parsed_url = urlparse(url)


    # 1. Protocol Validation
    if parsed_url.scheme not in ['http', 'https']:
        raise cherrypy.HTTPError(400, 'Invalid protocol')
    
    # 2. Domain Allowlisting
    if parsed_url.netloc not in ALLOWED_DOMAINS:
        raise cherrypy.HTTPError(403, 'Disallowed target domain')
    
    try:
        # 3. Use timeouts and disable redirects if necessary
        response = requests.get(url, timeout=5, allow_redirects=False)
        return response.content
    except requests.exceptions.RequestException:
        raise cherrypy.HTTPError(502, 'Failed to fetch resource')


if name == ‘main’:
cherrypy.quickstart(SecureApp())

System Alert • ID: 9337
Target: CherryPy API
Potential Vulnerability

Your CherryPy API might be exposed to SSRF (Server Side Request Forgery)

74% of CherryPy apps fail this check. Hackers use automated scanners to find this specific flaw. Check your codebase before they do.

RUN FREE SECURITY DIAGNOSTIC
GuardLabs Engine: ONLINE

Free Tier • No Credit Card • Instant Report

Verified by Ghost Labs Security Team

This content is continuously validated by our automated security engine and reviewed by our research team. Ghost Labs analyzes over 500+ vulnerability patterns across 40+ frameworks to provide up-to-date remediation strategies.

About GuardLabs → Follow us on X