Skip to content

Java: Add URL.getHost() to SSRF host validation sanitizer#18

Open
mrigankpawagi wants to merge 1 commit into
mainfrom
improve-java-ssrf-url-validation
Open

Java: Add URL.getHost() to SSRF host validation sanitizer#18
mrigankpawagi wants to merge 1 commit into
mainfrom
improve-java-ssrf-url-validation

Conversation

@mrigankpawagi

@mrigankpawagi mrigankpawagi commented Jun 23, 2026

Copy link
Copy Markdown
Owner

Fix

Extends the host comparison sanitizer in the java/ssrf query to also recognize java.net.URL.getHost() in addition to the existing java.net.URI.getHost() support.

Problem

The existing SSRF query recognizes URI.getHost() comparisons as sanitizers but missed the equivalent URL.getHost() pattern. Code that parses a URL with new URL(input) and validates url.getHost().equals(allowedHost) was still flagged as vulnerable. Both URL.getHost() and URI.getHost() serve the same validation purpose.

Validation

Static analysis confirms java.net.URL.getHost() returns the same host string as java.net.URI.getHost(), making it an equally valid sanitizer for SSRF.

@kiro-agent
feat: add URL.getHost() host comparison as SSRF sanitizer
a256cb6 
The existing host comparison sanitizer only recognized URI.getHost().
This extends it to also recognize java.net.URL.getHost() followed by
an equals check, which is a common pattern for validating the target
host before making a request.
@github-actions github-actions Bot added the Java label Jun 23, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

Java

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@mrigankpawagi @kiro-agent