@sun-asterisk/sunlint 1.3.39 → 1.3.41

package/skill-assets/sunlint-code-quality/rules/kotlin/S048-oauth-redirect-validation.md

@@ -0,0 +1,61 @@
+---
+title: Validate OAuth Redirect URIs Exactly
+impact: CRITICAL
+impactDescription: prevents authorization code theft by ensuring tokens are only sent to verified client URLs
+tags: oauth, redirect, uri, validation, security, kotlin
+---
+
+## Validate OAuth Redirect URIs Exactly
+
+When acting as an OAuth 2.0 Identity Provider (IdP) or using an external one, the `redirect_uri` parameter must be validated against an exact, pre-registered whitelist. Loose validation (like prefix matching or regex) can be bypassed by attackers to steal secrets.
+
+**Incorrect (partial or loose validation):**
+
+```kotlin
+// VULNERABLE: Substring matching
+if (redirectUri.contains("sun-asterisk.vn")) {
+    // Attack: https://attacker.com?sun-asterisk.vn
+}
+
+// VULNERABLE: Prefix matching without trailing slash
+if (redirectUri.startsWith("https://app.sun-asterisk.vn")) {
+    // Attack: https://app.sun-asterisk.vn.attacker.com/callback
+}
+```
+
+**Correct (exact match against registered URIs):**
+
+```kotlin
+private val ALLOWED_REDIRECT_URIS = setOf(
+    "https://auth.sun-asterisk.vn/callback",
+    "https://mobile.sun-asterisk.vn/oauth/success"
+)
+
+fun validateRedirectUri(inputUri: String) {
+    // MUST perform a case-sensitive exact string comparison
+    if (!ALLOWED_REDIRECT_URIS.contains(inputUri)) {
+        throw SecurityException("Unauthorized redirect_uri: $inputUri")
+    }
+}
+
+// If acting as an OAuth Provider (Spring Security Auth Server)
+@Configuration
+class SecurityConfig {
+    @Bean
+    fun registeredClientRepository(): RegisteredClientRepository {
+        return InMemoryRegisteredClientRepository(
+            RegisteredClient.withId("client-id")
+                .redirectUri("https://app.example.com/login/oauth2/code/gateway") // Exact
+                .build()
+        )
+    }
+}
+```
+
+**Security Requirements:**
+1.  **Exact Matching:** Use `equals()` or Set `contains()`. Never use `startsWith` or `contains`.
+2.  **No Wildcards:** Do not support wildcards in redirect URIs.
+3.  **HTTPS Only:** In production, only allow `https://` (except for specific localhost dev cases if strictly necessary).
+4.  **Pre-Registration:** The client must register their redirect URIs before they can initiate any OAuth flows.
+
+**Tools:** Spring Security OAuth2, OWASP ZAP, Manual Audit, Penetration Testing

package/skill-assets/sunlint-code-quality/rules/kotlin/S049-auth-code-expiry.md

@@ -0,0 +1,70 @@
+---
+title: Authentication Codes Must Expire Quickly
+impact: MEDIUM
+impactDescription: reduces the time window for attackers to brute-force or intercept one-time codes
+tags: authentication, codes, expiry, otp, security, kotlin
+---
+
+## Authentication Codes Must Expire Quickly
+
+One-time codes (OTP) used for password resets, 2FA, or login links should have a very short operational lifespan. The longer a code is valid, the more time an attacker has to social engineer the code from the victim or brute-force it.
+
+**Incorrect (long-lived or non-expiring codes):**
+
+```kotlin
+// VULNERABLE: Code remains valid for 24 hours
+val resetToken = UUID.randomUUID().toString()
+db.save(ResetToken(userId, resetToken, createdAt = Instant.now()))
+
+// In the verification logic:
+fun verify(token: String) {
+    val record = db.findByToken(token) ?: throw Exception("Invalid")
+    // No check for time elapsed!
+}
+```
+
+**Correct (short expiry with state management):**
+
+```kotlin
+import java.time.Duration
+import java.time.Instant
+
+private val OTP_EXPIRY = Duration.ofMinutes(5)
+
+fun generateAndStoreOtp(userId: String) {
+    val code = (100000..999999).random().toString()
+    
+    // Store in Redis with TTL (Time To Live)
+    redis.set("otp:$userId", code, OTP_EXPIRY.toSeconds())
+}
+
+fun verifyOtp(userId: String, inputCode: String): Boolean {
+    val storedCode = redis.get("otp:$userId")
+    
+    if (storedCode == null) {
+        throw ExpiredCodeException("OTP has expired")
+    }
+    
+    if (storedCode == inputCode) {
+        // IMPORTANT: Invalidate the code immediately after successful use
+        redis.del("otp:$userId")
+        return true
+    }
+    
+    // Increment failure counter for rate limiting...
+    return false
+}
+```
+
+**Recommended Expiry Guidelines:**
+- **2FA / Login Codes:** 2 - 10 minutes.
+- **Magic Login Links:** 15 - 30 minutes.
+- **Email Verification:** 24 hours (security requirement is lower than active login).
+- **Password Reset:** 15 - 60 minutes.
+
+**Security Checklist:**
+1.  **Single Use:** Delete the code immediately upon successful verification.
+2.  **Rate Limiting:** Lock the account or the OTP flow after 3-5 failed attempts.
+3.  **Secure Generation:** Use `SecureRandom` instead of `Random` for code generation.
+
+**Tools:** Redis (with EXPIRE), Spring Security, Manual Audit

package/skill-assets/sunlint-code-quality/rules/kotlin/S050-token-entropy.md

@@ -0,0 +1,65 @@
+---
+title: Reference Tokens 128-bit Entropy CSPRNG
+impact: HIGH
+impactDescription: prevents session hijacking via token guessing or brute-forcing
+tags: tokens, entropy, csprng, session, security, kotlin
+---
+
+## Reference Tokens 128-bit Entropy CSPRNG
+
+Opaque tokens (session IDs, API keys, reset tokens) must be generated using a Cryptographically Secure Pseudo-Random Number Generator (CSPRNG) and contain enough entropy (randomness) to make them impossible to guess. 128 bits of entropy is the modern minimum standard.
+
+**Incorrect (low entropy or predictable tokens):**
+
+```kotlin
+// VULNERABLE: Predicatable and low entropy (around 53 bits)
+val id = (Math.random() * 1000000).toLong().toString()
+
+// VULNERABLE: Short tokens (only 32 bits if using 4 hex chars)
+val token = List(4) { ('a'..'z').random() }.joinToString("")
+
+// INSECURE: Using non-secure Random
+val random = java.util.Random()
+val weakToken = BigInteger(130, random).toString(32)
+```
+
+**Correct (high entropy bytes from CSPRNG):**
+
+```kotlin
+import java.security.SecureRandom
+import java.util.Base64
+
+// 1. 128-bit minimum (16 bytes = 128 bits)
+val secureRandom = SecureRandom()
+
+fun generateSessionToken(): String {
+    val bytes = ByteArray(16)
+    secureRandom.nextBytes(bytes)
+    return Base64.getUrlEncoder().withoutPadding().encodeToString(bytes)
+}
+
+// 2. 256-bit for highly sensitive tokens (32 bytes)
+fun generateApiKey(): String {
+    val bytes = ByteArray(32)
+    secureRandom.nextBytes(bytes)
+    return "sk_" + Base64.getUrlEncoder().withoutPadding().encodeToString(bytes)
+}
+
+// 3. Using UUID (Standardized 128-bit random token)
+val uuidToken = UUID.randomUUID().toString()
+```
+
+**Security Benchmarks:**
+
+| Length | Entropy (approx) | Usage Recommendation |
+| :--- | :--- | :--- |
+| 16 bytes | 128 bits | **Minimum** for session tokens |
+| 24 bytes | 192 bits | Strong |
+| 32 bytes | 256 bits | **Recommended** for Long-lived API keys / Refresh tokens |
+
+**Entropy Requirements:**
+- Use `java.security.SecureRandom`.
+- Ensure tokens are long enough. A Hex-encoded string needs twice as many characters as the raw bytes (e.g., 32 hex chars for 16 bytes).
+- Do not include identifying information (like User IDs or IDs) in opaque reference tokens.
+
+**Tools:** OWASP ZAP, Manual Review, SonarQube (S2245)

package/skill-assets/sunlint-code-quality/rules/kotlin/S051-password-length.md

@@ -0,0 +1,52 @@
+---
+title: Support 12-64 Character Passwords
+impact: MEDIUM
+impactDescription: enables secure passphrase usage and improves account security
+tags: password, length, passphrase, security, kotlin
+---
+
+## Support 12-64 Character Passwords
+
+Longer passwords (passphrases) are significantly harder to crack than short, complex ones. Restricting password length to small values (like 16 characters) prevents users from choosing highly secure passphrases.
+
+**Incorrect (too restrictive limits):**
+
+```kotlin
+data class UserRegistration(
+    @get:Size(min = 8, max = 16) val password: String // Too short!
+)
+```
+
+**Correct (reasonable limits following modern standards):**
+
+```kotlin
+data class UserRegistration(
+    @get:NotBlank
+    @get:Size(min = 12, max = 64, message = "Password must be 12-64 characters")
+    val password: String
+)
+
+// Dynamic complexity requirements
+fun isPasswordSecure(password: String): Boolean {
+    // Basic length check
+    if (password.length !in 12..64) return false
+    
+    // NIST: Long passphrases (16+) don't need arbitrary complexity rules
+    if (password.length >= 16) return true
+    
+    // Shorter passwords (12-15) should have complexity
+    val hasUpper = password.any { it.isUpperCase() }
+    val hasLower = password.any { it.isLowerCase() }
+    val hasDigit = password.any { it.isDigit() }
+    
+    return hasUpper && hasLower && hasDigit
+}
+```
+
+**Modern Password Guidelines:**
+- **Minimum:** 12 characters (absolute minimum 8).
+- **Maximum:** At least 64 characters (allow up to 128 if possible).
+- **Composition:** Allow all characters, including spaces and Unicode.
+- **Truncation:** Never truncate passwords before hashing.
+
+**Tools:** Bean Validation (@Size), Manual Review, OWASP Password Policy

package/skill-assets/sunlint-code-quality/rules/kotlin/S052-otp-entropy.md

@@ -0,0 +1,55 @@
+---
+title: OTPs Must Have 20-bit Entropy Minimum
+impact: MEDIUM
+impactDescription: prevents attackers from guessing one-time passwords through automated trials
+tags: otp, entropy, authentication, 2fa, security, kotlin
+---
+
+## OTPs Must Have 20-bit Entropy Minimum
+
+One-Time Passwords (OTPs) are naturally shorter than session tokens, making them more susceptible to brute-force attacks. To compensate, they must have at least 20 bits of entropy (which roughly corresponds to a 6-digit numeric code) and be protected by strict rate-limiting.
+
+**Incorrect (low entropy OTPs):**
+
+```kotlin
+// VULNERABLE: Only 4 digits = 10,000 possibilities (approx 13 bits)
+val weakOtp = (1000..9999).random().toString()
+
+// VULNERABLE: Predicatable non-random source
+val timeBased = System.currentTimeMillis().toString().takeLast(6)
+```
+
+**Correct (secure, high-entropy OTP generation):**
+
+```kotlin
+import java.security.SecureRandom
+
+private val secureRandom = SecureRandom()
+
+// 1. 6-digit numeric OTP (~20 bits entropy) - Standard
+fun generateOtp(): String {
+    val number = secureRandom.nextInt(1_000_000)
+    return String.format("%06d", number)
+}
+
+// 2. 8-digit numeric OTP (~26 bits entropy) - Highly Secure
+fun generateStrongOtp(): String {
+    val number = secureRandom.nextInt(100_000_000)
+    return String.format("%08d", number)
+}
+
+// 3. Alphanumeric OTP for extra entropy in shorter lengths
+// (6-char alphanumeric ≈ 30+ bits entropy)
+val allowedChars = "ABCDEFGHJKLMNPQRSTUVWXYZ23456789" // Avoid ambiguous chars (I/1, O/0)
+fun generateAlphanumericOtp(): String {
+    return (1..6).map { allowedChars[secureRandom.nextInt(allowedChars.length)] }.joinToString("")
+}
+```
+
+**Security Controls for OTPs:**
+1.  **Strict Rate Limiting:** This is the most important defense for OTPs. Block the user or IP after 3-5 failed attempts.
+2.  **Short Expiry:** Limit the validity to a few minutes (e.g., 5 mins).
+3.  **Secure Generation:** Always use a CSPRNG (`SecureRandom`).
+4.  **Single Use:** Invalidate the code immediately after any attempt (success or failure) to verify it, or at least after a success.
+
+**Tools:** OWASP ESAPI, Google Authenticator (TOTP), Manual Audit, SonarQube (S2245)

package/skill-assets/sunlint-code-quality/rules/kotlin/S053-generic-error-messages.md

@@ -0,0 +1,66 @@
+---
+title: Return Generic Error Messages
+impact: HIGH
+impactDescription: prevents information disclosure and system reconnaissance
+tags: error-messages, information-disclosure, security, kotlin
+---
+
+## Return Generic Error Messages
+
+Detailed error messages can expose internal system implementation details, database structures, or specific library versions to attackers. This information is invaluable for planning more targeted attacks.
+
+**Incorrect (detailed errors exposed to client):**
+
+```kotlin
+// Spring Boot Exception Handler exposing EVERYTHING
+@ExceptionHandler(Exception::class)
+fun handleAll(e: Exception): ResponseEntity<Any> {
+    val body = mapOf(
+        "message" to e.message,
+        "class" to e.javaClass.name,
+        "stackTrace" to e.stackTrace // CRITICAL: Never send stack traces to clients!
+    )
+    return ResponseEntity.status(500).body(body)
+}
+
+// User Enumeration vulnerability
+if (user == null) {
+    return ResponseEntity.status(401).body("User not found")
+}
+if (!passwordValid) {
+    return ResponseEntity.status(401).body("Incorrect password")
+}
+```
+
+**Correct (generic errors with internal tracking):**
+
+```kotlin
+@ExceptionHandler(Exception::class)
+fun handleAll(e: Exception, request: WebRequest): ResponseEntity<Any> {
+    val trackingId = UUID.randomUUID().toString()
+    
+    // Log full details internally
+    logger.error("Internal Error #$trackingId on ${request.getDescription(false)}", e)
+    
+    // Provide a generic message and a tracking ID for the user to report
+    val body = mapOf(
+        "error" to "An internal system error occurred",
+        "code" to 500,
+        "trackingId" to trackingId 
+    )
+    return ResponseEntity.status(500).body(body)
+}
+
+// Same message for both prevents user enumeration
+if (user == null || !passwordValid) {
+    return ResponseEntity.status(401).body("Invalid username or password")
+}
+```
+
+**Security Best Practices:**
+- Never return stack traces, raw query strings, or file paths in API responses.
+- Use a Global Exception Handler to catch and sanitize all unhandled exceptions.
+- Ensure authentication messages are identical regardless of whether the username exists.
+- In production, disable Spring's `server.error.include-stacktrace` property.
+
+**Tools:** Spring `@ControllerAdvice`, Ktor `StatusPages`, OWASP ZAP, Manual Audit

package/skill-assets/sunlint-code-quality/rules/kotlin/S054-no-default-admin.md

@@ -0,0 +1,57 @@
+---
+title: Avoid Default Admin/Root Accounts
+impact: HIGH
+impactDescription: prevents easy initial compromise via well-known default administrative credentials
+tags: admin, default-accounts, credentials, security, kotlin
+---
+
+## Avoid Default Admin/Root Accounts
+
+Applications that ship with default administrative accounts (e.g., `admin/password`) are prime targets for automated attacks. Attackers scan for these default login paths and credentials as their first step in a system breach.
+
+**Incorrect (default admin in seeds or config):**
+
+```kotlin
+// Database migration/seed creating a default admin
+fun seedDatabase() {
+    val adminExists = repository.existsByRole("ADMIN")
+    if (!adminExists) {
+        val root = User(email = "admin@example.com", password = passwordEncoder.encode("admin123"), role = "ADMIN")
+        repository.save(root)
+    }
+}
+```
+
+**Correct (secure initial setup):**
+
+```kotlin
+// 1. Initial setup wizard approach
+@PostMapping("/api/initial-setup")
+fun setupAdmin(@RequestBody request: AdminSetupRequest): ResponseEntity<Any> {
+    if (userService.hasAnyAdmin()) {
+        return ResponseEntity.status(403).body("Setup already completed")
+    }
+    
+    // Validate password complexity
+    if (request.password.length < 16) {
+        return ResponseEntity.badRequest().body("Initial admin password must be at least 16 characters")
+    }
+
+    userService.createAdmin(request.email, request.password)
+    return ResponseEntity.ok("Admin account created successfully")
+}
+
+// 2. Environment-based initial credentials
+val initialAdminPass = System.getenv("INITIAL_ADMIN_PASSWORD")
+if (initialAdminPass.isNullOrBlank() || initialAdminPass.length < 12) {
+    throw IllegalStateException("A strong INITIAL_ADMIN_PASSWORD must be provided via environment variables")
+}
+```
+
+**Security Best Practices:**
+- Never hardcode administrative credentials in logic or configuration files.
+- Force an administrative password change on first login if a temporary password is provided.
+- Avoid obvious usernames like `admin`, `root`, `administrator`, or `sysadmin`.
+- Use Multi-Factor Authentication (MFA) for all administrative access.
+
+**Tools:** Security Audit, Penetration Testing, CI/CD configuration checks.

package/skill-assets/sunlint-code-quality/rules/kotlin/S055-content-type-validation.md

@@ -0,0 +1,58 @@
+---
+title: Validate Content-Type In REST Services
+impact: MEDIUM
+impactDescription: prevents content-type confusion attacks and parsing vulnerabilities
+tags: rest, content-type, validation, api, security, kotlin
+---
+
+## Validate Content-Type In REST Services
+
+Accepting any content type on your API endpoints can lead to unexpected parsing behavior or bypass security filters. For example, an attacker might send XML to an endpoint expecting JSON to trigger an XXE (XML External Entity) attack.
+
+**Incorrect (no content-type validation):**
+
+```kotlin
+// Ktor: Receiving raw body without validation
+post("/api/data") {
+    val body = call.receiveText()
+    // No check if this is JSON, XML, or plain text
+    process(body)
+}
+
+// Spring Boot: Permissive mapping
+@PostMapping("/api/data", consumes = ["*/*"])
+fun handle(@RequestBody data: String) { ... }
+```
+
+**Correct (strict content-type validation):**
+
+```kotlin
+// Spring Boot: Explicit 'consumes' constraint
+@PostMapping("/api/data", consumes = [MediaType.APPLICATION_JSON_VALUE])
+fun handle(@RequestBody data: MyDataModel): ResponseEntity<Any> {
+    return ResponseEntity.ok(Success())
+}
+
+// Ktor: Content-Type check in interceptor or route
+post("/api/data") {
+    val contentType = call.request.contentType()
+    if (contentType.withoutParameters() != ContentType.Application.Json) {
+        call.respond(HttpStatusCode.UnsupportedMediaType, "Only application/json is supported")
+        return@post
+    }
+    val data = call.receive<MyDataModel>()
+    // ...
+}
+
+// Multpart requirement for uploads
+@PostMapping("/api/upload", consumes = [MediaType.MULTIPART_FORM_DATA_VALUE])
+fun upload(@RequestParam("file") file: MultipartFile) { ... }
+```
+
+**Best Practices:**
+- Use the `consumes` attribute in Spring's `@RequestMapping` or `@PostMapping`.
+- Always return the `415 Unsupported Media Type` status code when the content type is not allowed.
+- Ensure that the parser (JSON, XML) is configured securely (e.g., disabling external entities for XML).
+- Avoid generic types like `application/octet-stream` unless specifically handling binary data.
+
+**Tools:** Spring Security, Ktor ContentNegotiation, OWASP ZAP, API Gateway (e.g., Kong, AWS Gateway)

package/skill-assets/sunlint-code-quality/rules/kotlin/S056-log-injection.md

@@ -0,0 +1,47 @@
+---
+title: Protect Against Log Injection
+impact: HIGH
+impactDescription: prevents log forging, track hiding, and malicious content injection
+tags: logging, injection, sanitization, security, kotlin
+---
+
+## Protect Against Log Injection
+
+Log injection occurs when user-controlled data is written to a log file without sanitization. An attacker can inject newline characters to forge log entries or inject malicious payloads that could be executed by log analysis tools.
+
+**Incorrect (unsanitized logging):**
+
+```kotlin
+// Log injection vulnerability
+val username = request.getParameter("username")
+logger.info("User logged in: $username")
+
+// Attacker input: "admin\n[2024-01-01] ERROR Database connection failed"
+// Results in two lines in the log, one of which is fake.
+```
+
+**Correct (structured and sanitized logging):**
+
+```kotlin
+// Use structured logging (automatically handles many injection risks)
+logger.info("User logged in", StructuredArguments.value("username", sanitize(username)))
+
+// Sanitize manual log input
+fun sanitize(input: String?): String {
+    if (input == null) return ""
+    return input
+        .replace("[\r\n\t]".toRegex(), " ") // Replace newlines/tabs with space
+        .take(255) // Limit length to prevent log bloating attacks
+}
+
+// Logback configuration can also be set to replace newlines automatically:
+// %-5p [%d] %c: %replace(%m){'[\r\n]', ''}%n
+```
+
+**Prevention Strategies:**
+- Always use structured logging (e.g., Logstash Logback Encoder).
+- Sanitize any user-controlled input before logging by stripping or replacing CRLF characters.
+- Configure log appender to escape control characters.
+- Limit the size of logged variables.
+
+**Tools:** SonarQube (S2245), Semgrep, OWASP ESAPI (for Java/Kotlin), Manual Audit

package/skill-assets/sunlint-code-quality/rules/kotlin/S057-synchronized-time.md

@@ -0,0 +1,49 @@
+---
+title: Use Synchronized Time (UTC) In Logs
+impact: MEDIUM
+impactDescription: enables accurate incident correlation and audit trail reconstruction across distributed systems
+tags: logging, time, utc, synchronization, security, kotlin
+---
+
+## Use Synchronized Time (UTC) In Logs
+
+When an incident occurs, investigators need to correlate logs from multiple servers, databases, and third-party services. If timestamps are in different timezones or out of sync, reconstructing the timeline is nearly impossible.
+
+**Incorrect (local time or inconsistent formats):**
+
+```kotlin
+// Uses server's local timezone
+logger.info("User action at ${Date()}")
+
+// Inconsistent formats
+println("[${System.currentTimeMillis()}] Event")
+println("[${LocalDateTime.now()}] Event")
+```
+
+**Correct (UTC with ISO 8601 format):**
+
+```kotlin
+import java.time.Instant
+import java.time.format.DateTimeFormatter
+
+// 1. Use Instant (Always UTC)
+val timestamp = Instant.now().toString() // Output: 2024-01-15T10:30:00.000Z
+
+// 2. Structured logging with ISO 8601 (Recommended)
+logger.info("User action") {
+    payload("timestamp" to Instant.now().toString())
+    payload("userId" to user.id)
+}
+
+// 3. Configure Logback to use UTC
+// In logback.xml:
+// <timestamp key="bySecond" datePattern="yyyy-MM-dd'T'HH:mm:ss.SSS'Z'" timeReference="UTC"/>
+```
+
+**System Requirements:**
+- **UTC Everywhere:** Application logic, database storage, and logs should all use UTC.
+- **ISO 8601:** Use the standardized format `YYYY-MM-DDTHH:mm:ss.SSSZ`.
+- **NTP:** Ensure all servers in the cluster use the Network Time Protocol (NTP) to stay synchronized with a precise time source.
+- **Precision:** Log with at least millisecond precision.
+
+**Tools:** `java.time` (JSR-310), Logback, NTP, Sentry, Elasticsearch/Kibana

package/skill-assets/sunlint-code-quality/rules/kotlin/S058-ssrf-protection.md

@@ -0,0 +1,69 @@
+---
+title: Protect Against SSRF Attacks
+impact: CRITICAL
+impactDescription: prevents attackers from making requests to internal infrastructure or cloud metadata endpoints via the server
+tags: ssrf, url, network, internal, security, kotlin
+---
+
+## Protect Against SSRF Attacks
+
+Server-Side Request Forgery (SSRF) allows an attacker to force the server to make HTTP requests to an arbitrary domain. This is often used to scan internal networks, access private local services (e.g., Redis, DBs), or steal credentials from Cloud Metadata services (AWS/GCP/Azure metadata endpoints).
+
+**Incorrect (trusting user-provided URLs):**
+
+```kotlin
+// VULNERABLE: Direct use of user input in a network client
+@GetMapping("/proxy")
+fun fetchUrl(@RequestParam url: String): String {
+    val client = HttpClient.newHttpClient()
+    val request = HttpRequest.newBuilder().uri(URI.create(url)).build()
+    return client.send(request, BodyHandlers.ofString()).body()
+}
+// Attacker: /proxy?url=http://169.254.169.254/latest/meta-data/iam/security-credentials/
+```
+
+**Correct (strict validation and allow-listing):**
+
+```kotlin
+import java.net.InetAddress
+import java.net.URI
+
+private val ALLOWED_DOMAINS = setOf("trusted-api.com", "cdn.com")
+
+fun safeFetch(targetUrl: String): String {
+    val uri = URI(targetUrl)
+    
+    // 1. Protocol Whitelist
+    if (uri.scheme != "http" && uri.scheme != "https") {
+        throw SecurityException("Protocol not allowed")
+    }
+
+    // 2. Domain Whitelist (Recommended)
+    if (!ALLOWED_DOMAINS.contains(uri.host)) {
+        throw SecurityException("Domain not authorized")
+    }
+
+    // 3. IP Check (preventing local/private IP access)
+    val address = InetAddress.getByName(uri.host)
+    if (address.isLoopbackAddress || address.isSiteLocalAddress || address.isLinkLocalAddress) {
+        throw SecurityException("Internal network access forbidden")
+    }
+
+    // 4. Disable Redirects or manually validate them
+    val client = HttpClient.newBuilder()
+        .followRedirects(HttpClient.Redirect.NEVER)
+        .build()
+        
+    // Execute request...
+    return "" 
+}
+```
+
+**SSRF Prevention Guidelines:**
+- **Whitelisting:** Only allow requests to a predefined list of trusted domains.
+- **Protocol Restriction:** Only allow `http` and `https`. Block `file://`, `gopher://`, `dict://`, etc.
+- **Internal Network Blocking:** Block access to `localhost`, `127.0.0.1`, and private IP ranges (`10.0.0.0/8`, `172.16.0.0/12`, `192.168.0.0/16`).
+- **Cloud Metadata Blocking:** Explicitly block `169.254.169.254`.
+- **DNS Resolution:** Perform validation on the resolved IP address, not just the hostname.
+
+**Tools:** SonarQube (S5144), Semgrep, OWASP SSRF Prevention Cheat Sheet