From 418cb2c76ed4fd803fd29cf6f965d64d2812ef60 Mon Sep 17 00:00:00 2001
From: CyberMind-FR <gandalf@Gk2.net>
Date: Sat, 14 Feb 2026 05:38:26 +0100
Subject: [PATCH] fix(mitmproxy): Fix SSRF false positives for internal traffic

SSRF detection was triggering on any request to internal IPs
(192.168.x.x, 10.x.x.x, etc.) because it was checking the target
URL itself. Now only checks query parameters and request body for
SSRF patterns, which is where actual SSRF attacks occur.

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
---
 .../files/srv/mitmproxy/addons/secubox_analytics.py      | 9 +++++++--
 1 file changed, 7 insertions(+), 2 deletions(-)

diff --git a/package/secubox/secubox-app-mitmproxy/files/srv/mitmproxy/addons/secubox_analytics.py b/package/secubox/secubox-app-mitmproxy/files/srv/mitmproxy/addons/secubox_analytics.py
index 051eaa02..3f542a20 100644
--- a/package/secubox/secubox-app-mitmproxy/files/srv/mitmproxy/addons/secubox_analytics.py
+++ b/package/secubox/secubox-app-mitmproxy/files/srv/mitmproxy/addons/secubox_analytics.py
@@ -1085,9 +1085,14 @@ class SecuBoxAnalytics:
                     'severity': 'high', 'category': 'file_access'
                 }
 
-        # Check SSRF
+        # Check SSRF - only in query parameters and body, not in the target URL itself
+        # This prevents false positives when accessing internal services legitimately
+        ssrf_targets = [body]
+        if query:
+            ssrf_targets.extend([str(v) for v in query.values()])
+        ssrf_combined = ' '.join(ssrf_targets)
         for pattern in SSRF_PATTERNS:
-            if re.search(pattern, combined, re.IGNORECASE):
+            if re.search(pattern, ssrf_combined, re.IGNORECASE):
                 return {
                     'is_scan': True, 'pattern': 'ssrf', 'type': 'ssrf',
                     'severity': 'high', 'category': 'server_side'