CodeGuru
Detector Library
Kotlin detectors (23/23)
Insecure cookieCookie Without Http Only FlagImproper AuthenticationCryptographic key generatorWeak pseudorandom number generationPath traversalCross-site scriptingReusing Nonce and key in encryptionCode InjectionServer-side request forgeryCross-site request forgeryLog injectionHardcoded credentialsEnabling and overriding debug featureNull Pointer DereferenceInsecure hashingMissing encryption of sensitive dataImproper verification of IntentInsecure connection using unencrypted protocolOS Command InjectionInsecure Bean ValidationSQL injectionIncorrect Type Conversion
Server-side request forgery High
Server-side request forgery (SSRF) is a web application vulnerability where an attacker can cause the server to make requests to unintended resources or systems. This can lead to unauthorized access to data or systems that the server can access but the attacker cannot directly access. Proper input validation, whitelisting, and access controls are necessary to mitigate SSRF vulnerabilities.
Detector ID
kotlin/server-side-request-forgery@v1.0
Category
Common Weakness Enumeration (CWE) 
Noncompliant example
1// Noncompliant: User input data passed to respondText().
2fun noncompliant() {
3 embeddedServer(Netty, port = 8080) {
4 routing {
5 post("/proxy/{url}") {
6 val url = call.request.queryParameters["url"]
7 if (url != null) {
8 val data = URL(url).readText()
9 call.respondText(data)
10 }
11 }
12 }
13 }.start(wait = true)
14}
Compliant example
1// Compliant: Pre-defined data passed to respondText().
2fun compliant() {
3 embeddedServer(Netty, port = 8080) {
4 routing {
5 post("/proxy/{url}") {
6 val url = "<hardcoded_url>"
7 if (url != null) {
8 val data = URL(url).readText()
9 call.respondText(data)
10 }
11 }
12 }
13 }.start(wait = true)
14}