Fix SSRF (Server Side Request Forgery) in Roda

SSRF in Roda occurs when the application fetches a user-supplied URL without strict validation, allowing attackers to pivot into internal networks, hit cloud metadata services (169.254.169.254), or bypass firewalls. In a routing tree like Roda, a single unvalidated 'r.params' can compromise the entire backend infrastructure.

The Vulnerable Pattern

class App < Roda
  plugin :json
  route do |r|
    r.get "fetch" do
      target_url = r.params["url"]
      # VULNERABLE: Direct use of user input in open-uri
      # Allows access to file:///, http://localhost, or internal IPs
      URI.open(target_url).read
    end
  end
end

The Secure Implementation

The fix replaces standard URI opening with the 'ssrf_filter' gem. It implements three critical layers of defense: 1. Protocol Whitelisting (forcing HTTPS only), 2. Destination Blacklisting (blocking RFC 1918 private ranges, loopback, and link-local addresses), and 3. DNS Rebinding Protection (resolving the IP and validating it before the socket connection is established). By halting the request when a restricted IP is detected, we prevent the attacker from scanning the internal environment.

require 'ssrf_filter'
class App < Roda
plugin :json
route do |r|
r.get “fetch” do
target_url = r.params[“url”]
  begin
    # SECURE: SsrfFilter validates against private IP ranges and enforces protocols
    response = SsrfFilter.get(target_url, protocols: ['https']) do |res|
      return res.body
    end
  rescue SsrfFilter::Error, ArgumentError => e
    r.halt(403, { error: 'Access Denied: Invalid Target' }.to_json)
  end
end
end
end