logo

Database

Elixir Tesla Request Forgery

Description

This detector identifies Server-Side Request Forgery (SSRF) vulnerabilities in Elixir applications using the Tesla HTTP client library. It flags instances where Tesla client requests are configured in an unsafe manner that could allow attackers to control request destinations.

Weakness:

100 - Server-side request forgery (SSRF)

Category: Deceptive Interactions

Detection Strategy

    Analyze Elixir source code for Tesla HTTP client usage patterns

    Examine Tesla.client(), Tesla.get(), Tesla.post(), and similar function calls

    Flag Tesla requests where the URL or destination is dynamically constructed from user input

    Report vulnerabilities when Tesla clients accept external input for request URLs without proper validation

    Identify unsafe Tesla middleware configurations that could enable request manipulation

Vulnerable code example

defmodule ExampleController do
  use Phoenix.Controller

  alias Tesla

  def vulnerable_request(conn, _params) do
    url = conn.params["target"]
    ...

✅ Secure code example

defmodule ExampleController do
  use Phoenix.Controller

  alias Tesla

  def secure_request(conn, _params) do
    url = conn.params["target"]
    ...