Backend safety

no-ssrf

Flag outbound HTTP calls whose URL is derived from request input (CWE-918).

AI-generated "fetch a URL the user supplies" features ship SSRF almost every time. The rule covers `fetch`, `axios`, `http.request`, `got`, `ky`, `superagent`, and `axios({ url })` config shapes, plus `new URL(req.query.path, base)`. Block private/loopback/metadata IPs explicitly and resolve hosts before fetching.

Behavior

• Fixable: No.
• Suggestions: No.

Examples

Bad:

fetch(req.body.url);

Good:

fetch(allowedHosts[req.body.target]);

Related rules

• safe-redirectFlag redirects derived from request input (open redirect / phishing path).
• no-path-traversalFlag `fs.readFile` / `path.join` / `res.sendFile` with request-sourced input (CWE-22).
• no-hardcoded-localhostFlag hardcoded `localhost`/`127.0.0.1`/`0.0.0.0` URLs that ship to production.

Use it

Enable no-ssrf in your eslint.config.js:

import deslint from '@deslint/eslint-plugin';

export default [
  {
    plugins: { deslint },
    rules: {
      'deslint/no-ssrf': 'error',
    },
  },
];

Found a false positive? Report it on GitHub →

← Back to all rules