Veracode SSRF Flag for http.NewRequestWithContext: Mitigating Risk in My Go Application
I'm working on a Go application where I'm using http.NewRequestWithContext to make outgoing requests. During a recent Veracode scan, I received an SSRF (Server-Side Request Forgery) flag for the following line:
req, err:= http.NewRequestWithContext(ctx, method, url, payload)
Veracode seems to be concerned about the potential for user-controlled input being used in the url variable, leading to an attacker crafting a malicious URL that could be executed by my application.
What specific aspects of this line are triggering the Veracode flag? Is it the use of http.NewRequestWithContext itself, or is it something specific to my implementation?
What mitigation strategies can I implement to address this SSRF vulnerability? I've considered methods like URL validation, Url sanitization and whitelisting, but I'm facing the same issue also in url we are appending the token query parameter in last before making http call further.
Are there any Veracode-specific considerations or best practices I should be aware of when addressing SSRF vulnerabilities in my Go application?
