GuardAPI Logo
GuardAPI

Fix SSRF (Server Side Request Forgery) in Sails

SSRF in Sails.js occurs when your backend fetches a user-supplied URL without validation, allowing attackers to pivot into your internal network, scan ports, or exfiltrate cloud metadata (169.254.169.254). If you're piping req.param('url') directly into axios or needle, you're pwned. Stop the bleed by enforcing strict allow-lists and protocol constraints.

The Vulnerable Pattern

module.exports = {
  fetchData: async function (req, res) {
    const axios = require('axios');
    const target = req.param('url');
    // VULNERABLE: Direct injection of user input into request
    try {
      const response = await axios.get(target);
      return res.ok(response.data);
    } catch (err) {
      return res.serverError(err);
    }
  }
};

The Secure Implementation

The secure implementation uses three layers of defense. First, it parses the URL using the native 'url' module to prevent basic obfuscation. Second, it enforces an allow-list of trusted hostnames, preventing access to localhost or cloud metadata services. Third, it disables redirects (maxRedirects: 0); this is crucial because an attacker might provide a 'safe' URL that redirects to an internal IP. For high-security environments, use a library like 'ssrf-agent' to validate the resolved IP address against RFC 1918 private ranges before the request is dispatched.

const { URL } = require('url');
const axios = require('axios');

const ALLOWED_HOSTS = [‘api.trusted.com’, ‘cdn.partner.io’];


module.exports = {
fetchData: async function (req, res) {
const target = req.param(‘url’);
try {
const parsed = new URL(target);
// 1. Enforce HTTPS only
if (parsed.protocol !== ‘https:’) return res.badRequest(‘Invalid protocol’);
// 2. Strict Domain Allow-list
if (!ALLOWED_HOSTS.includes(parsed.hostname)) return res.forbidden(‘Domain not authorized’);


  const response = await axios.get(target, {
    timeout: 2000,
    maxRedirects: 0 // 3. Prevent redirect-based SSRF
  });
  return res.ok(response.data);
} catch (err) {
  return res.badRequest('Invalid URL or Request Failed');
}


}
};

System Alert • ID: 9703
Target: Sails API
Potential Vulnerability

Your Sails API might be exposed to SSRF (Server Side Request Forgery)

74% of Sails apps fail this check. Hackers use automated scanners to find this specific flaw. Check your codebase before they do.

RUN FREE SECURITY DIAGNOSTIC
GuardLabs Engine: ONLINE

Free Tier • No Credit Card • Instant Report

Verified by Ghost Labs Security Team

This content is continuously validated by our automated security engine and reviewed by our research team. Ghost Labs analyzes over 500+ vulnerability patterns across 40+ frameworks to provide up-to-date remediation strategies.

About GuardLabs → Follow us on X