Ssrf Server Side in Actix with Firestore
Ssrf Server Side in Actix with Firestore — how this specific combination creates or exposes the vulnerability
Server-side request forgery (SSRF) in an Actix service that interacts with Google Firestore can occur when user-supplied input is used to construct URLs for backend requests or Firestore document references. Actix is an asynchronous Rust web framework; if an endpoint accepts a parameter (e.g., a document path or a remote resource URL) and uses it to perform an HTTP call or to derive a Firestore document reference without strict validation, an attacker can force the server to reach internal or unexpected endpoints.
In this context, Firestore itself does not introduce SSRF, but the way your Actix code resolves and uses document paths can amplify the risk. For example, suppose an endpoint accepts a document_path from a client and uses it to read a Firestore document via the official Google Cloud SDK. If the path is not strictly validated, an attacker might supply a path that causes the backend to request internal metadata services (e.g., the Compute Engine metadata service at http://metadata.google.internal) or other cloud internal endpoints, leading to data exposure or lateral movement. Similarly, if your Actix app uses a Firestore-triggered workflow that makes outbound HTTP calls based on document fields, malicious data stored in Firestore can later be used to drive SSRF at runtime.
Because middleBrick scans the unauthenticated attack surface and tests input validation and SSRF in parallel, it can identify endpoints where user-controlled data influences Firestore document references or triggers outbound requests. Findings will include the related OWASP API Top 10 category and guidance to ensure that document paths and URLs are validated, use allowlists, and never forward user input directly to backend services or metadata endpoints.
When integrating with the middleBrick ecosystem, you can use the CLI to scan your Actix endpoints from the terminal (middlebrick scan <url>), add the GitHub Action to fail builds if the risk score drops below your chosen threshold, or run scans directly from your AI coding assistant via the MCP Server. These integrations help catch SSRF-style issues early, complementing the 12 security checks that include Input Validation and SSRF.
Firestore-Specific Remediation in Actix — concrete code fixes
To mitigate SSRR in an Actix service that uses Firestore, validate and constrain all inputs that influence document references or URLs. Prefer allowlists for document IDs and paths, avoid concatenating user input into URLs, and use the Firestore SDK as intended rather than building raw HTTP calls to internal metadata services.
1. Validate document paths and IDs
Do not trust client-provided document paths. Ensure IDs conform to expected patterns and do not contain slashes that could traverse collections.
use actix_web::{web, HttpResponse, Result};
use google_cloud_firestore::client::Client;
use regex::Regex;
/// Only allow alphanumeric, underscore, hyphen, and dot document IDs.
fn is_valid_document_id(id: &str) -> bool {
let re = Regex::new(r"^[a-zA-Z0-9_\-\.]{1,100}$").unwrap();
re.is_match(id)
}
async fn get_document(
client: web::Data,
path: web::Path,
) -> Result {
let doc_id = path.into_inner();
if !is_valid_document_id(&doc_id) {
return Ok(HttpResponse::BadRequest().body("Invalid document ID"));
}
// Safe: using the Firestore SDK with a validated document ID.
let doc_ref = client.collection("items").doc(&doc_id);
match doc_ref.get().await {
Ok(snapshot) => {
if snapshot.exists() {
Ok(HttpResponse::Ok().json(snapshot.data().unwrap_or_default()))
} else {
Ok(HttpResponse::NotFound().finish())
}
}
Err(e) => Ok(HttpResponse::InternalServerError().body(format!("Firestore error: {e}"))),
}
} 2. Avoid using user input to construct URLs for metadata or internal services
Never forward user input to endpoints like http://metadata.google.internal. If you need configuration or service discovery, use environment variables or secret stores instead.
use actix_web::{web, HttpResponse, Result};
/// Bad: building a URL from user input can lead to SSRF.
/// async fn fetch_bad(user_host: String) -> Result {
/// let url = format!("http://{}/v1/instance/attributes", user_host);
/// reqwest::get(&url).await.map(|r| r.into())
/// }
/// Good: read a trusted base URL from configuration.
async fn fetch_safe(config: web::Data<AppConfig>) -> Result {
let client = reqwest::Client::new();
let url = format!("{}://{}/v1/instance/attributes", config.scheme, config.internal_host);
match client.get(&url).send().await {
Ok(resp) => Ok(HttpResponse::Ok().body(resp.text().await.unwrap_or_default())),
Err(_) => Ok(HttpResponse::ServiceUnavailable().finish()),
}
}
#[derive(Clone)]
struct AppConfig {
scheme: String,
internal_host: String,
}
// In main or app factory, provide config from environment/secrets.
// let cfg = web::Data::new(AppConfig { scheme: "http".into(), internal_host: "metadata.google.internal".into() });
// App::new().app_data(cfg).route("/fetch", web::get().to(fetch_safe)); 3. Sanitize Firestore-triggered outbound calls
If documents contain URLs or hostnames that your Actix service uses to make outbound requests, validate those URLs against an allowlist of permitted domains and reject private IP ranges (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) and localhost.
use url::Url;
/// Returns Ok(()) if the URL is allowed, Err otherwise.
fn is_allowed_url(href: &str) -> Result<(), &'static str> {
let parsed = Url::parse(href).map_err(|_| "Invalid URL")?;
// Allowlist example: only https://api.example.com
if parsed.scheme() != "https" || parsed.host_str() != Some("api.example.com") {
return Err("Domain not allowed");
}
// Reject private IPs and localhost.
if let Some(host) = parsed.host_str() {
if host == "localhost" {
return Err("Localhost not allowed");
}
// You can add IP parsing here if needed.
}
Ok(())
}
// Example usage inside a Firestore-triggered handler:
// for url in document_urls {
/// if let Err(e) = is_allowed_url(&url) {
/// // log and skip
/// }
/// }