pub fn validate_veracode_url(url_str: &str) -> Result<(), ValidationError>Expand description
Validates that a URL is from an allowed Veracode domain (SSRF protection).
This function prevents Server-Side Request Forgery (SSRF) attacks by validating that URLs returned in API responses are from legitimate Veracode domains across all supported regions (Commercial, European, Federal).
§Allowed Domains
- Commercial:
*.veracode.com(api.veracode.com, analysiscenter.veracode.com) - European:
*.veracode.eu(api.veracode.eu, analysiscenter.veracode.eu) - Federal:
*.veracode.us(api.veracode.us, analysiscenter.veracode.us)
§Security
Without this validation, an attacker who compromises API responses could redirect requests to:
- Internal services (AWS metadata endpoints, localhost services)
- Private network ranges (192.168.x.x, 10.x.x.x)
- External malicious servers to steal authentication headers
§Arguments
url_str- The URL string to validate
§Returns
Returns Ok(()) if the URL is valid and from an allowed Veracode domain.
§Errors
Returns ValidationError::InvalidUrl if the URL cannot be parsed.
Returns ValidationError::InsecureScheme if the URL is not HTTPS.
Returns ValidationError::InvalidDomain if the URL is not from a Veracode domain.
§Examples
use veracode_platform::validation::validate_veracode_url;
// Valid Veracode URLs
assert!(validate_veracode_url("https://api.veracode.com/appsec/v1/applications").is_ok());
assert!(validate_veracode_url("https://api.veracode.eu/appsec/v1/applications").is_ok());
assert!(validate_veracode_url("https://api.veracode.us/appsec/v1/applications").is_ok());
// Invalid - not HTTPS
assert!(validate_veracode_url("http://api.veracode.com/test").is_err());
// Invalid - wrong domain (SSRF attempt)
assert!(validate_veracode_url("https://evil.com/test").is_err());
assert!(validate_veracode_url("https://localhost:8080/admin").is_err());