diff --git a/lib/adapters/http.js b/lib/adapters/http.js index 135c93a35f..77174e2668 100755 --- a/lib/adapters/http.js +++ b/lib/adapters/http.js @@ -16,6 +16,31 @@ var enhanceError = require('../core/enhanceError'); var isHttps = /https:?/; +/** + * + * @param {http.ClientRequestArgs} options + * @param {AxiosProxyConfig} proxy + * @param {string} location + */ +function setProxy(options, proxy, location) { + options.hostname = proxy.host; + options.host = proxy.host; + options.port = proxy.port; + options.path = location; + + // Basic proxy authorization + if (proxy.auth) { + var base64 = Buffer.from(proxy.auth.username + ':' + proxy.auth.password, 'utf8').toString('base64'); + options.headers['Proxy-Authorization'] = 'Basic ' + base64; + } + + // If a proxy is used, any redirects must also pass through the proxy + options.beforeRedirect = function beforeRedirect(redirection) { + redirection.headers.host = redirection.host; + setProxy(redirection, proxy, redirection.href); + }; +} + /*eslint consistent-return:0*/ module.exports = function httpAdapter(config) { return new Promise(function dispatchHttpRequest(resolvePromise, rejectPromise) { @@ -145,17 +170,8 @@ module.exports = function httpAdapter(config) { } if (proxy) { - options.hostname = proxy.host; - options.host = proxy.host; options.headers.host = parsed.hostname + (parsed.port ? ':' + parsed.port : ''); - options.port = proxy.port; - options.path = protocol + '//' + parsed.hostname + (parsed.port ? ':' + parsed.port : '') + options.path; - - // Basic proxy authorization - if (proxy.auth) { - var base64 = Buffer.from(proxy.auth.username + ':' + proxy.auth.password, 'utf8').toString('base64'); - options.headers['Proxy-Authorization'] = 'Basic ' + base64; - } + setProxy(options, proxy, protocol + '//' + parsed.hostname + (parsed.port ? ':' + parsed.port : '') + options.path); } var transport; diff --git a/test/unit/regression/SNYK-JS-AXIOS-1038255.js b/test/unit/regression/SNYK-JS-AXIOS-1038255.js new file mode 100644 index 0000000000..52c7498241 --- /dev/null +++ b/test/unit/regression/SNYK-JS-AXIOS-1038255.js @@ -0,0 +1,61 @@ +// https://snyk.io/vuln/SNYK-JS-AXIOS-1038255 +// https://github.com/axios/axios/issues/3407 +// https://github.com/axios/axios/issues/3369 + +const axios = require('../../../index'); +const http = require('http'); +const assert = require('assert'); + +const PROXY_PORT = 4777; +const EVIL_PORT = 4666; + + +describe('Server-Side Request Forgery (SSRF)', () => { + let fail = false; + let proxy; + let server; + let location; + beforeEach(() => { + server = http.createServer(function (req, res) { + fail = true; + res.end('rm -rf /'); + }).listen(EVIL_PORT); + proxy = http.createServer(function (req, res) { + if (req.url === 'http://localhost:' + EVIL_PORT + '/') { + return res.end(JSON.stringify({ + msg: 'Protected', + headers: req.headers, + })); + } + res.writeHead(302, { location }) + res.end() + }).listen(PROXY_PORT); + }); + afterEach(() => { + server.close(); + proxy.close(); + }); + it('obeys proxy settings when following redirects', async () => { + location = 'http://localhost:' + EVIL_PORT; + let response = await axios({ + method: "get", + url: "http://www.google.com/", + proxy: { + host: "localhost", + port: PROXY_PORT, + auth: { + username: 'sam', + password: 'password', + } + }, + }); + + assert.strictEqual(fail, false); + assert.strictEqual(response.data.msg, 'Protected'); + assert.strictEqual(response.data.headers.host, 'localhost:' + EVIL_PORT); + assert.strictEqual(response.data.headers['proxy-authorization'], 'Basic ' + Buffer.from('sam:password').toString('base64')); + + return response; + + }); +}); \ No newline at end of file