Update SSRF sandbox control message to be more explicit (#442)

nahsra · web-flow · commit 83a55ced6e7d · 2024-08-23T09:24:22.000-04:00
A user requested that the SSRF codemod present a more clear, explicit
explanation of what the change will do.
diff --git a/core-codemods/src/main/resources/io/codemodder/codemods/SSRFCodemod/report.json b/core-codemods/src/main/resources/io/codemodder/codemods/SSRFCodemod/report.json
@@ -1,7 +1,7 @@
 {
   "summary" : "Sandboxed URL creation to prevent SSRF attacks",
   "control" : "https://github.com/pixee/java-security-toolkit/blob/main/src/main/java/io/github/pixee/security/Urls.java",
-  "change": "Wrapped the URL creation with a method that forces the caller to pick allowed protocols and domains that this URL can reach",
+  "change": "Added a control method that limits the protocols to HTTP(S) and limits the host to non-infrastructure targets (e.g., blocks AWS metadata hosts, typical network gateway addresses.)",
 
   "reviewGuidanceJustification" : "By default, the protection only weaves in 2 checks, which we believe will not cause any issues with the vast majority of code:\n* The given URL must be HTTP/HTTPS.\n* The given URL must not point to a \"well-known infrastructure target\", which includes things like AWS Metadata Service endpoints, and internal routers (e.g., 192.168.1.1) which are common targets of attacks.\n\nHowever, on rare occasions an application may use a URL protocol like \"file://\" or \"classpath://\" in backend or middleware code.\n\nIf you want to allow those protocols, change the incoming PR to look more like this and get the best security possible:\n\n```\n-URL u = new URL(url);\n+Set<UrlProtocol> fileProtocols = Set.of(UrlProtocol.FILE, UrlProtocol.CLASSPATH);\n+URL u = Urls.create(url, fileProtocols);\n```",
 

Original file line number	Diff line number	Diff line change
`@@ -1,7 +1,7 @@`
`1`	`1`	`{`
`2`	`2`	`"summary" : "Sandboxed URL creation to prevent SSRF attacks",`
`3`	`3`	`"control" : "https://github.com/pixee/java-security-toolkit/blob/main/src/main/java/io/github/pixee/security/Urls.java",`
`4`		`- "change": "Wrapped the URL creation with a method that forces the caller to pick allowed protocols and domains that this URL can reach",`
	`4`	`+ "change": "Added a control method that limits the protocols to HTTP(S) and limits the host to non-infrastructure targets (e.g., blocks AWS metadata hosts, typical network gateway addresses.)",`
`5`	`5`
`6`	`6`	"reviewGuidanceJustification" : "By default, the protection only weaves in 2 checks, which we believe will not cause any issues with the vast majority of code:\n* The given URL must be HTTP/HTTPS.\n* The given URL must not point to a \"well-known infrastructure target\", which includes things like AWS Metadata Service endpoints, and internal routers (e.g., 192.168.1.1) which are common targets of attacks.\n\nHowever, on rare occasions an application may use a URL protocol like \"file://\" or \"classpath://\" in backend or middleware code.\n\nIf you want to allow those protocols, change the incoming PR to look more like this and get the best security possible:\n\n```\n-URL u = new URL(url);\n+Set<UrlProtocol> fileProtocols = Set.of(UrlProtocol.FILE, UrlProtocol.CLASSPATH);\n+URL u = Urls.create(url, fileProtocols);\n```",
`7`	`7`