We are facing the issue of SSRF vulnerability in http.NewRequestWithContext(ctx, "GET", url, nil) function in Golang during Veracode scan.
The URL that is coming to this function contains jwt token as an additional parameter in the last. eg, https://this.isAValidUrl.com/path?token=--validJwtToken--
We tried to fix the problem in 2 ways by validating the URL using:
- regex which validates any valid http/https URL.
- allowed list of specified URLs only.
Both fixes are not working and still we are getting some issues in the Veracode scan. Can someone please help with this?