GuardAPI Logo
GuardAPI

Fix SSRF (Server Side Request Forgery) in Spiral

SSRF in the Spiral framework typically manifests when the application acts as a proxy or resource fetcher, blindly trusting user-supplied URLs. In a RoadRunner-backed environment, an attacker can leverage this to pivot into the internal network, probe local services, or exfiltrate sensitive cloud metadata (e.g., 169.254.169.254). If your Spiral controllers are using an injected HttpClientInterface to fetch external data, you must implement strict validation to prevent internal network exposure.

The Vulnerable Pattern

public function index(ServerRequestInterface $request, \Symfony\Contracts\HttpClient\HttpClientInterface $client): ResponseInterface
{
    // VULNERABLE: The 'url' parameter is used directly without validation.
    $url = $request->getQueryParams()['url'];
    $response = $client->request('GET', $url);

return new Response(200, [], $response->getContent());


}

The Secure Implementation

To kill SSRF, you must adopt a 'Zero Trust' approach to user input. The secure implementation first enforces a protocol whitelist (HTTP/S only) to prevent URI scheme attacks (e.g., file://, gopher://). It then resolves the hostname to an IP address and validates it against private/reserved IP ranges using PHP's filter_var. This prevents 'DNS Rebinding' and ensures the request cannot reach internal metadata services or local databases. For the highest security, use a hard allow-list of domains your application is permitted to communicate with.

public function index(ServerRequestInterface $request, \Symfony\Contracts\HttpClient\HttpClientInterface $client): ResponseInterface
{
    $targetUrl = $request->getQueryParams()['url'] ?? '';
    $parts = parse_url($targetUrl);

// 1. Protocol Whitelisting
if (!in_array($parts['scheme'], ['http', 'https'], true)) {
    throw new \InvalidArgumentException('Invalid protocol');
}

// 2. DNS Resolution & Private IP Check
$ip = gethostbyname($parts['host']);
$isInternal = !filter_var($ip, FILTER_VALIDATE_IP, FILTER_FLAG_NO_PRIV_RANGE | FILTER_FLAG_NO_RES_RANGE);

if ($isInternal) {
    throw new \SecurityException('Access to internal network is prohibited');
}

// 3. Domain Allow-listing (Recommended)
$allowedHosts = ['api.trusted-service.com'];
if (!in_array($parts['host'], $allowedHosts, true)) {
    throw new \SecurityException('Unauthorized host');
}

$response = $client->request('GET', $targetUrl, ['timeout' => 2.0]);
return new Response(200, [], $response->getContent());


}

System Alert • ID: 9051
Target: Spiral API
Potential Vulnerability

Your Spiral API might be exposed to SSRF (Server Side Request Forgery)

74% of Spiral apps fail this check. Hackers use automated scanners to find this specific flaw. Check your codebase before they do.

RUN FREE SECURITY DIAGNOSTIC
GuardLabs Engine: ONLINE

Free Tier • No Credit Card • Instant Report

Verified by Ghost Labs Security Team

This content is continuously validated by our automated security engine and reviewed by our research team. Ghost Labs analyzes over 500+ vulnerability patterns across 40+ frameworks to provide up-to-date remediation strategies.

About GuardLabs → Follow us on X