ast/ssrf-http-user-url
SSRF: HTTP client called with user-controlled URL
What it detects
fetch / axios / http / got / superagent / needle / ky / undici was called with a URL sourced from req.body, req.query, req.params, req.headers, ctx.request, or `userInput`. An attacker can redirect the request to internal-only endpoints (AWS metadata service at 169.254.169.254, internal microservices, Docker socket) and exfiltrate the response. Validate the URL against an allow-list of hosts before issuing the request.
How it runs
Each file scanned is parsed with the TypeScript Compiler API (via ts-morph). This rule walks the AST looking for the call shape and user-input flow it describes. Skipped on files larger than 200 KB or that fail to parse.
Found a false positive or want this rule tuned? File an issue. You can also suppress per-repo via a .repoguardignore line.