[API Policies] URL Guardrail Policy Security Issue

## Overview

 **Critical Security Vulnerability** - Server-Side Request Forgery (SSRF) vulnerability allows attackers to probe internal infrastructure.

---

## Issue Details

### Missing URL Validation Enables SSRF Attacks

**File:** `urlguardrail.go` (lines 293-313)

**Description:**
The `checkURL` and `checkDNS` methods make unrestricted network requests (HTTP HEAD and DNS lookups) to URLs extracted from payloads without validation. This enables Server-Side Request Forgery attacks.

**Attack Vectors:**
- Inject URLs targeting internal services
- Access cloud metadata endpoints (169.254.169.254)
- Perform reconnaissance on internal network topology
- Probe internal APIs and services

**Required Validation:**
Add validation before network requests to reject:
- Private IP ranges (10.x.x.x, 172.16-31.x.x, 192.168.x.x)
- Localhost/loopback addresses (127.0.0.1, ::1)
- Cloud metadata endpoints
- Non-HTTP(S) schemes

**Impact:**
Attackers can use the policy to probe internal infrastructure and access sensitive endpoints.

## Reference
- https://github.com/wso2/gateway-controllers/pull/1#:~:text=%F0%9F%9F%A0%20Major%20comments%20(20,1%2D13%20(1)

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

[API Policies] URL Guardrail Policy Security Issue #697

Overview

Issue Details

Missing URL Validation Enables SSRF Attacks

Reference

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

[API Policies] URL Guardrail Policy Security Issue #697

Description

Overview

Issue Details

Missing URL Validation Enables SSRF Attacks

Reference

Metadata

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Issue actions