--- issue: 107 title: "Scanner: TronGrid pagination next-URL used unvalidated — SSRF via API response" severity: medium domain: Scanner labels: [security, scanner, ssrf] status: open created: 2026-05-30 source: Full Codebase Audit 2026-05-30 --- # Scanner: TronGrid pagination next-URL used unvalidated — SSRF via API response **Severity:** medium **Domain:** Scanner **Labels:** security, scanner, ssrf ## Description `scanner/tron_chain.go:180` follows the `Links.Next` URL from a TronGrid API response without validating that it has the same scheme and host as the configured RPC URL. A compromised or malicious TronGrid response can redirect the scanner to arbitrary internal endpoints. ## Options 1. Require next URL to share scheme+host with `chain.RpcURL`. 2. Reconstruct pagination params ourselves instead of trusting `Links.Next`. 3. Allowlist the TronGrid host. ## Recommendation Validate scheme+host equals the configured RPC URL before following `Links.Next`. ## Affected Files - `scanner/tron_chain.go:180` ## References - [Full Codebase Audit 2026-05-30](../09%20-%20Audits/Full%20Codebase%20Audit%20-%202026-05-30.md) — DEC-61