Elixir Finch Request Forgery
Description
This detector identifies Elixir code that uses the Finch HTTP client library in an unsafe manner, potentially allowing Server-Side Request Forgery (SSRF) attacks. SSRF vulnerabilities occur when an application makes HTTP requests to URLs controlled by user input without proper validation, enabling attackers to access internal services or perform unauthorized requests.
Detection Strategy
• Scans Elixir source code for function calls related to the Finch HTTP client library
• Identifies Finch request methods (like Finch.build/4, Finch.request/3, etc.) that accept URL parameters
• Flags cases where user-controlled input could be passed as the URL parameter to Finch HTTP requests
• Reports vulnerabilities when URL destinations in Finch calls are not properly validated or sanitized before use
Vulnerable code example
defmodule VulnerableProxy do
use Plug.Router
plug :match
plug :dispatch
get "/proxy" do
# Vulnerable: User-controlled URL enables SSRF attacks...✅ Secure code example
defmodule SecureProxy do
use Plug.Router
plug :match
plug :dispatch
get "/proxy" do
url = conn.params["url"]...Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.