Requests that follow a redirect are not passing via the proxy #3369
Comments
|
I am not 100% sure yet, but I think we are encountering the same issue. I get an |
|
@RubenVerborgh Maybe axios should set |
|
Yes, that seems to be the case. |
|
Does anyone have an idea for a workaround? |
|
I found that this is in fact the cause of our issues. I fixed it for us with a workaround, but an actual fix would be much appreciated. The workaround is, that in case of an error I set the url of the redirected request in the old config and execute the request again: axios.request(myConfig).catch(error => {
if (error.request._isRedirect) {
return axios.request({
...myConfig,
url: error.request._options.path
});
}
}); |
|
Thanks for the workaround! Just to wrap this up: if we're not using the |
|
Yes, that is my understanding. Only the combination of proxy + redirects. |
|
CVE-2020-28168 appears to have been assigned to this issue. |
|
Anyone listening on this issue, Code review of #3410 is needed. |
|
SourceClear have rated this CVE a 7.5 which means that all our pipelines are failing to build. It'd be really good if #3410 could be merged as we can no longer deploy our software without raising all manner of engagements with corporate security. |
|
Please see #3410 this will be released in 0.21.1 |
|
Hallo, is there any schedule to release 0.21.1, so the vulnerability is fixed and all dependent projects can fix their vulnerabilities? |
|
Just as an FYI in case someone comes across this via a Google Search... incognito Chrome windows currently block third-party cookies, which will cause this error. So, either disable the feature (Settings -> Cookies and other site data -> Block third-party cookies in Incognito) or drop out of incognito. |
### Description Axios has [a vulnerability](axios/axios#3369) fixed in versions >= 0.21.1. Upgrading our dependencies to newer versions to be compatible.
|
Looks like in 0.21.1 it is still actual... |
Describe the bug
In cases where
axiosis used by servers to perform http requests to user-supplied urls, a proxy is commonly used to protect internal networks from unauthorized access and SSRF. This bug enables an attacker to bypass the proxy by providing a url that responds with a redirect to a restricted host/ip.To Reproduce
The following code spawns a proxy server that always responds with a 302 redirect, so requests should never reach the target url, however,
axiosis only reaching the proxy once, and bypassing the proxy after the redirect response.https://runkit.com/embed/1df5qy8lbgnc
The response is the rendered html of http://example.com
Expected behavior
All the requests should pass via the proxy. In the provided scenario, there should be a redirect loop.
Environment
Additional context/Screenshots
Add any other context about the problem here. If applicable, add screenshots to help explain.
The text was updated successfully, but these errors were encountered: