SkyMoney/tests-results-for-OWASP/A10-Server-Side-Request-Forgery.md

A10: Server-Side Request Forgery (SSRF)

Last updated: March 1, 2026

Findings addressed

1. Production APP_ORIGIN previously enforced HTTPS but did not explicitly block localhost/private-network targets.
2. SSRF posture needed explicit verification that API runtime code does not introduce generic outbound HTTP clients for user-influenced targets.

Fixes implemented

1. Hardened production APP_ORIGIN validation in env parsing:

• Requires valid URL format.
• Rejects localhost/private-network hosts:
  • localhost, 127.0.0.0/8, 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16, 169.254.0.0/16, ::1, 0.0.0.0, .local.

2. Added dedicated A10 verification tests:

• Rejects private/loopback APP_ORIGIN in production mode.
• Asserts API server source (api/src/server.ts) does not use generic outbound HTTP request clients (fetch, axios, http.request, https.request).

Files changed

1. api/src/env.ts
2. api/tests/server-side-request-forgery.test.ts
3. api/vitest.security.config.ts

Verification

Command:

cd api
npx vitest run -c vitest.security.config.ts tests/server-side-request-forgery.test.ts

Verified output:

• Test Files: 1 passed (1)
• Tests: 3 passed (3)

Dedicated A10 checks in server-side-request-forgery.test.ts:

1. Asserts production env parsing rejects multiple private/localhost APP_ORIGIN variants.
2. Asserts production env parsing accepts public HTTPS APP_ORIGIN.
3. Asserts API source code has no generic outbound HTTP client usage (fetch, axios, http.request, https.request) outside test scripts.

Residual notes

1. Current API architecture has minimal outbound HTTP surface (primarily SMTP transport).
2. If future features add URL fetch/proxy/webhook integrations, enforce strict destination allowlists and network egress controls at implementation time.