javaspring-bootresttemplateveracodessrf

Getting Server-Side Request Forgery (SSRF) (CWE ID 918) restTemplate.getForEntity


I am using restTemplate for synchronous inter-service communication in a microservices architecture.

When we completed Veracode scan, we are getting Server-Side Request Forgery (SSRF) (CWE ID 918) in getForEntity method.

restTemplate.getForEntity(URL, Entity.class);

Not sure why I am getting this SSRF issue?.
What would be the possible fix for this?


Solution

  • I have fixed this issue by build the URL using UriComponents before using it in restTemplate.

    UriComponents uriComponents = UriComponentsBuilder.newInstance()
      .scheme("http").host("www.yourdomain.com").path("/yourPath").build();
    

    Please refer this link to use UriComponents https://www.baeldung.com/spring-uricomponentsbuilder