Fix SSRF (Server Side Request Forgery) in Cuba
Cuba is a micro-framework that stays out of your way, but it offers zero built-in protection against SSRF. If your app fetches remote resources based on user-controlled parameters, an attacker can pivot to your internal network, scan local ports, or exfiltrate cloud metadata (like AWS/GCP credentials). To fix this, you must implement strict URL validation and IP blacklisting.
The Vulnerable Pattern
require "cuba" require "net/http"
Cuba.define do on get, “proxy” do # DANGEROUS: Directly fetching user-provided URL target_url = req.params[“url”] response = Net::HTTP.get(URI(target_url)) res.write(response) end end
The Secure Implementation
The fix implements a defense-in-depth strategy. First, it enforces a protocol whitelist (HTTP/S only) to prevent usage of file:// or gopher:// schemes. Second, it uses a strict domain allowlist. Third, and most importantly, it resolves the hostname to an IP address and verifies that it does not belong to private, loopback, or link-local ranges. This prevents the 'Time of Check to Time of Use' (TOCTOU) DNS rebinding attacks and ensures the application cannot reach internal services like 127.0.0.1 or the cloud metadata service at 169.254.169.254.
require "cuba" require "uri" require "resolv" require "net/http"ALLOWED_HOSTS = [“api.trusted-partner.com”].freeze
def secure_request(url_string) uri = URI.parse(url_string) return nil unless [“http”, “https”].include?(uri.scheme) return nil unless ALLOWED_HOSTS.include?(uri.host)
Resolve IP to check for internal ranges
ip_address = Resolv.getaddress(uri.host) addr = Addrinfo.new(ip_address)
Block private/loopback IPs (RFC 1918, etc.)
if addr.ipv4_private? || addr.ipv4_loopback? || addr.ipv6_linklocal? || addr.ipv6_loopback? return nil end
Net::HTTP.get(uri) rescue nil end
Cuba.define do on get, “proxy” do url = req.params[“url”] if data = secure_request(url) res.write(data) else res.status = 403 res.write(“Forbidden: Invalid or Internal Target”) end end end
Your Cuba API
might be exposed to SSRF (Server Side Request Forgery)
74% of Cuba apps fail this check. Hackers use automated scanners to find this specific flaw. Check your codebase before they do.
Free Tier • No Credit Card • Instant Report
Verified by Ghost Labs Security Team
This content is continuously validated by our automated security engine and reviewed by our research team. Ghost Labs analyzes over 500+ vulnerability patterns across 40+ frameworks to provide up-to-date remediation strategies.