← all rules

code/js-ssrf-fetch-user-input

SSRF: HTTP client called with user-controlled URL

criticalCode regexssrfCWE-918js

What it detects

A request library is invoked with a URL derived from the HTTP request. Attackers can redirect the request to internal metadata endpoints (e.g. AWS 169.254.169.254) or internal services.

How it runs

Applied line-by-line via a tagged regex with language-specific gating. Comments are skipped. Designed for high-confidence patterns where AST parsing would be overkill.

Found a false positive or want this rule tuned? File an issue. You can also suppress per-repo via a .repoguardignore line.