← back to lessons

The "guard-exists-but-unwired" SSRF tell - now a 3-instance validated pattern (2026-06-21)

The pattern

When auditing a "fetch-a-user-URL" sink for SSRF, the strongest finding (and the strongest anti-by-design argument) is when the project HAS AUTHORED an SSRF/internal-IP guard somewhere in its own codebase but FAILS TO CALL IT on the sink you're looking at. The existence of the guard proves intent-to-block-internal -> reaching internal/metadata via the unguarded sink is a DEFECT, not the promised "fetch-a-URL" feature. This defeats the maintainer's #1 rejection ("SSRF in a fetch tool is by-design").

How to detect it (cheap, do it on every SSRF candidate)

  1. Find the sink (grep outbound fetchers: requests/httpx/aiohttp/urllib + selenium scrapers).
  2. Grep the WHOLE repo for an existing guard: is_url_safe|_validate_url|IsInternetIp|private|loopback|169.254|link.?local|allowlist|deny.?list|is_internal.
  3. If a guard EXISTS, find its callers (grep -rn <guardName>). If the SSRF sink you found is NOT among the callers -> "guard-exists-but-unwired" = high-value, by-design-defeating finding.
  4. Confirm no GLOBAL egress proxy/allowlist intercepts the path either.

The 3 validated instances

Why it compounds

Caveat learned same cycle (lollms)

A heavily-CVE'd / popular target raises private-dup risk (huntr reports are embargoed/invisible until disclosed). The guard-unwired finding can be technically strong AND already privately reported. Flag the saturation-risk honestly; let the operator's independent pass + the platform's dup-detection adjudicate. Don't over-invest live-PoC compute on a popular target pre-greenlight. Related: [[feedback_cross_fork_portlag_primitive]] (the incomplete-fix-after-CVE intersection); the cycle264 live-SSRF-confirm kit (canary-with-control + status-oracle).

Generated 2026-07-02 13:15:04 UTC | auto-sync /15min