Story (Required)

Mitigate Server Side Request Forgery (SSRF) by employing the following best practices:

• Utilize whitelists and identify the IP addresses the application needs to access. Do not use blacklists and regular expressions directly on the user input as they are bad practice and can be easily bypassed. The attacker can use HTTP redirect, wildcard DNS services like xip.io, or even alternate IP encoding to bypass blacklists and regular expressions.
• Sanitize the output of the request before relaying its response to the user. Make sure the response received by the server application is actually what it expects it to be before sending it back to the user. Prevent any information leakage to the attacker.

Background (Required)

Refer to the Epic description.

Out of scope

Any previous counter measures.

Approach (Required)

- Discuss this issue in the bug triage or cabal.

Dependencies

NA

Acceptance Criteria (Mandatory)

• Bring this issue to the bug triage call and take a decision on the counter measure.
• If further discussion is needed, bring this issue to the cabal.

INVEST Checklist

Dependencies identified

Blockers noted and expected delivery timelines set

Design is implementable

Acceptance criteria agreed upon

Story estimated

Legend

Unknown

Verified

Unsatisfied

Done Checklist

• Code is completed, reviewed, documented and checked in
• Unit and integration test automation have been delivered and running cleanly in continuous integration/staging/canary environment
• Continuous Delivery pipeline(s) is able to proceed with new code included
• Customer facing documentation, API docs etc. are produced/updated, reviewed and published
• Acceptance criteria are met