Fix SSRF (Server Side Request Forgery) in Masonite
SSRF (Server-Side Request Forgery) in Masonite occurs when an application fetches a remote resource without validating the user-supplied URL. This allows attackers to pivot into internal networks, access cloud metadata services (like 169.254.164.254), or bypass firewalls. In a Masonite environment, if you're using the standard 'requests' library or built-in HTTP clients with raw user input, you're vulnerable to internal network mapping and data exfiltration.
The Vulnerable Pattern
from masonite.controllers import Controller from masonite.request import Request import requests
class ProxyController(Controller): def fetch_resource(self, request: Request): # DANGER: Directly using user input in an outgoing request url = request.input(‘target_url’) response = requests.get(url, timeout=5) return response.text
The Secure Implementation
The secure implementation utilizes a multi-layered defense. First, it validates the URL scheme to prevent usage of 'file://', 'gopher://', or 'ftp://'. Second, it implements a strict domain allow-list to ensure the server only communicates with known-good entities. Third, it performs a DNS lookup to verify that the resolved IP address does not belong to a private or local range (RFC 1918 or Link-Local), effectively blocking access to internal services and cloud metadata endpoints. Finally, 'allow_redirects=False' is used to prevent attackers from bypassing domain checks via an open redirect on a trusted host.
from masonite.controllers import Controller
from masonite.request import Request
from urllib.parse import urlparse
import requests
import socket
class ProxyController(Controller):
ALLOWED_DOMAINS = [‘api.trusted-partner.com’, ‘cdn.myapp.com’]
def fetch_resource(self, request: Request):
url = request.input('target_url')
parsed = urlparse(url)
# 1. Enforce HTTPS
if parsed.scheme != 'https':
return {'error': 'Insecure protocol'}, 400
# 2. Strict Domain Allow-list
if parsed.netloc not in self.ALLOWED_DOMAINS:
return {'error': 'Unauthorized target'}, 403
# 3. Prevent Internal IP access (DNS resolution check)
try:
ip_address = socket.gethostbyname(parsed.hostname)
private_ranges = ['127.', '10.', '172.16.', '192.168.', '169.254.']
if any(ip_address.startswith(prefix) for prefix in private_ranges):
return {'error': 'Restricted destination'}, 403
except Exception:
return {'error': 'Invalid host'}, 400
response = requests.get(url, timeout=5, allow_redirects=False)
return response.text</code></pre>
Your Masonite API
might be exposed to SSRF (Server Side Request Forgery)
74% of Masonite apps fail this check. Hackers use automated scanners to find this specific flaw. Check your codebase before they do.
Free Tier • No Credit Card • Instant Report
Verified by Ghost Labs Security Team
This content is continuously validated by our automated security engine and reviewed by our research team. Ghost Labs analyzes over 500+ vulnerability patterns across 40+ frameworks to provide up-to-date remediation strategies.