framework icon indicating copy to clipboard operation
framework copied to clipboard
verified publisher icon windwalker-io

Prevent API injection or SSRF attack

Open asika32764 opened this issue 2 years ago • 1 comments

  • HttpClient call another API
    • params should not concat to URI string
    • try use prepare() or escape
  • Do not have any http params use to load filesystem path
$http->get('https://api.com/users/:id/posts', [ 'params' => [ 'id' => 123 ] ])

asika32764 avatar Jun 01 '23 02:06 asika32764

See also

  • https://symfony.com/doc/current/http_client.html#ssrf-server-side-request-forgery-handling
  • https://symfony.com/doc/current/http_client.html#using-uri-templates

asika32764 avatar Jul 11 '23 17:07 asika32764