Fix SSRF (Server Side Request Forgery) in Hanami

SSRF in Hanami actions occurs when user-supplied URLs are passed to HTTP clients like Net::HTTP, Faraday, or open-uri without strict validation. This allows attackers to pivot into internal networks, scan local ports, or exfiltrate cloud metadata (e.g., AWS IMDS). As a Senior AppSec Researcher, I recommend a defense-in-depth approach: protocol enforcement, domain allowlisting, and DNS resolution validation to prevent bypasses like DNS rebinding.

The Vulnerable Pattern

module Web::Actions::Tools
  class Fetcher < Web::Action
    def handle(req, res)
      # VULNERABLE: User-controlled URL is passed directly to Net::HTTP
      # Attacker can input 'http://169.254.169.254/latest/meta-data/'
      url = req.params[:url]
      uri = URI.parse(url)
      res.body = Net::HTTP.get(uri)
    end
  end
end

The Secure Implementation

The secure implementation utilizes the 'ssrf_filter' gem, which is the industry standard for Ruby. It mitigates SSRF by: 1. Restricting protocols to HTTPS only. 2. Implementing a strict hostname allowlist. 3. Resolving the domain and checking the target IP against RFC1918 (private) and local ranges before the request is made, preventing attackers from hitting internal services even if they use DNS rebinding or URL shorteners. Never rely on simple regex for URL validation; always validate the resolved IP address.

require 'ssrf_filter'
module Web::Actions::Tools
class Fetcher < Web::Action
ALLOWED_DOMAINS = [‘trusted-api.com’, ‘assets.internal.io’].freeze
def handle(req, res)
  target_url = req.params[:url]
  
  begin
    # SECURE: Use SsrfFilter to block private IPs, localhosts, and enforce allowlist
    response = SsrfFilter.get(target_url) do |req|
      req.scheme = 'https'
      req.host = ALLOWED_DOMAINS if ALLOWED_DOMAINS.any?
    end
    
    res.body = response.body
  rescue SsrfFilter::UnsafeUrlError => e
    halt 403, "Access Denied: Unsafe URL detected."
  rescue => e
    halt 400, "Invalid Request"
  end
end
end
end