feat: Add allowInsecureRedirect option

legobeat · SzymonDrosdzol · web-flow · commit c5bcf21d40fb · 2023-08-08T09:26:35.000-04:00
BREAKING CHANGE: The allowInsecureRedirect is `false` by default, which may cause issues if your usage relies on insecure redirects. For the former behavior, you can opt in to insecure redirects by setting the option to `true`, but it is not recommended. 

Co-authored-by: Szymon Drosdzol &lt;szymon@doyensec.com&gt;
diff --git a/README.md b/README.md
@@ -707,6 +707,7 @@ The first argument can be either a `url` or an `options` object. The only requir
 - `followOriginalHttpMethod` - by default we redirect to HTTP method GET. you can enable this property to redirect to the original HTTP method (default: `false`)
 - `maxRedirects` - the maximum number of redirects to follow (default: `10`)
 - `removeRefererHeader` - removes the referer header when a redirect happens (default: `false`). **Note:** if true, referer header set in the initial request is preserved during redirect chain.
+- `allowInsecureRedirect` - allows cross-protocol redirects (HTTP to HTTPS and vice versa). **Warning:** may lead to bypassing anti SSRF filters (default: `false`)
 
 ---
 
diff --git a/lib/redirect.js b/lib/redirect.js
@@ -14,6 +14,7 @@ function Redirect (request) {
   this.redirects = []
   this.redirectsFollowed = 0
   this.removeRefererHeader = false
+  this.allowInsecureRedirect = false
 }
 
 Redirect.prototype.onRequest = function (options) {
@@ -40,6 +41,9 @@ Redirect.prototype.onRequest = function (options) {
   if (options.followOriginalHttpMethod !== undefined) {
     self.followOriginalHttpMethod = options.followOriginalHttpMethod
   }
+  if (options.allowInsecureRedirect !== undefined) {
+    self.allowInsecureRedirect = options.allowInsecureRedirect
+  }
 }
 
 Redirect.prototype.redirectTo = function (response) {
@@ -113,7 +117,7 @@ Redirect.prototype.onResponse = function (response, callback) {
     request.uri = url.parse(redirectTo)
 
     // handle the case where we change protocol from https to http or vice versa
-    if (request.uri.protocol !== uriPrev.protocol) {
+    if (request.uri.protocol !== uriPrev.protocol && self.allowInsecureRedirect) {
       delete request.agent
     }
 
diff --git a/tests/test-httpModule.js b/tests/test-httpModule.js
@@ -70,7 +70,7 @@ function runTests (name, httpModules) {
   tape(name, function (t) {
     var toHttps = 'http://localhost:' + plainServer.port + '/to_https'
     var toPlain = 'https://localhost:' + httpsServer.port + '/to_plain'
-    var options = { httpModules: httpModules, strictSSL: false }
+    var options = { httpModules: httpModules, strictSSL: false, allowInsecureRedirect: true }
     var modulesTest = httpModules || {}
 
     clearFauxRequests()
diff --git a/tests/test-redirect-auth.js b/tests/test-redirect-auth.js
@@ -18,6 +18,7 @@ request = request.defaults({
     user: 'test',
     pass: 'testing'
   },
+  allowInsecureRedirect: true,
   rejectUnauthorized: false
 })
 
diff --git a/tests/test-redirect-complex.js b/tests/test-redirect-complex.js
@@ -67,6 +67,7 @@ tape('lots of redirects', function (t) {
     request({
       url: (i % 2 ? s.url : ss.url) + '/a',
       headers: { 'x-test-key': key },
+      allowInsecureRedirect: true,
       rejectUnauthorized: false
     }, function (err, res, body) {
       t.equal(err, null)
diff --git a/tests/test-redirect.js b/tests/test-redirect.js
@@ -445,7 +445,8 @@ tape('http to https redirect', function (t) {
   hits = {}
   request.get({
     uri: require('url').parse(s.url + '/ssl'),
-    rejectUnauthorized: false
+    rejectUnauthorized: false,
+    allowInsecureRedirect: true
   }, function (err, res, body) {
     t.equal(err, null)
     t.equal(res.statusCode, 200)
@@ -454,6 +455,18 @@ tape('http to https redirect', function (t) {
   })
 })
 
+tape('http to https redirect should fail without the explicit "allowInsecureRedirect" option', function (t) {
+  hits = {}
+  request.get({
+    uri: require('url').parse(s.url + '/ssl'),
+    rejectUnauthorized: false
+  }, function (err, res, body) {
+    t.notEqual(err, null)
+    t.equal(err.code, 'ERR_INVALID_PROTOCOL', 'Failed to cross-protocol redirect')
+    t.end()
+  })
+})
+
 tape('should have referer header by default when following redirect', function (t) {
   request.post({
     uri: s.url + '/temp',
diff --git a/tests/test-tunnel.js b/tests/test-tunnel.js
@@ -356,6 +356,7 @@ function addTests () {
     'https->http over http, tunnel=true',
     {
       url: ss.url + '/redirect/http',
+      allowInsecureRedirect: true,
       proxy: s.url,
       tunnel: true
     },
@@ -372,6 +373,7 @@ function addTests () {
     'https->http over http, tunnel=false',
     {
       url: ss.url + '/redirect/http',
+      allowInsecureRedirect: true,
       proxy: s.url,
       tunnel: false
     },
@@ -388,6 +390,7 @@ function addTests () {
     'https->http over http, tunnel=default',
     {
       url: ss.url + '/redirect/http',
+      allowInsecureRedirect: true,
       proxy: s.url
     },
     [

Original file line number	Diff line number	Diff line change
`@@ -14,6 +14,7 @@ function Redirect (request) {`
`14`	`14`	`this.redirects = []`
`15`	`15`	`this.redirectsFollowed = 0`
`16`	`16`	`this.removeRefererHeader = false`
	`17`	`+ this.allowInsecureRedirect = false`
`17`	`18`	`}`
`18`	`19`
`19`	`20`	`Redirect.prototype.onRequest = function (options) {`
`@@ -40,6 +41,9 @@ Redirect.prototype.onRequest = function (options) {`
`40`	`41`	`if (options.followOriginalHttpMethod !== undefined) {`
`41`	`42`	`self.followOriginalHttpMethod = options.followOriginalHttpMethod`
`42`	`43`	`}`
	`44`	`+ if (options.allowInsecureRedirect !== undefined) {`
	`45`	`+ self.allowInsecureRedirect = options.allowInsecureRedirect`
	`46`	`+ }`
`43`	`47`	`}`
`44`	`48`
`45`	`49`	`Redirect.prototype.redirectTo = function (response) {`
`@@ -113,7 +117,7 @@ Redirect.prototype.onResponse = function (response, callback) {`
`113`	`117`	`request.uri = url.parse(redirectTo)`
`114`	`118`
`115`	`119`	`// handle the case where we change protocol from https to http or vice versa`
`116`		`- if (request.uri.protocol !== uriPrev.protocol) {`
	`120`	`+ if (request.uri.protocol !== uriPrev.protocol && self.allowInsecureRedirect) {`
`117`	`121`	`delete request.agent`
`118`	`122`	`}`
`119`	`123`
Original file line number	Diff line number	Diff line change
`@@ -356,6 +356,7 @@ function addTests () {`
`356`	`356`	`'https->http over http, tunnel=true',`
`357`	`357`	`{`
`358`	`358`	`url: ss.url + '/redirect/http',`
	`359`	`+ allowInsecureRedirect: true,`
`359`	`360`	`proxy: s.url,`
`360`	`361`	`tunnel: true`
`361`	`362`	`},`
`@@ -372,6 +373,7 @@ function addTests () {`
`372`	`373`	`'https->http over http, tunnel=false',`
`373`	`374`	`{`
`374`	`375`	`url: ss.url + '/redirect/http',`
	`376`	`+ allowInsecureRedirect: true,`
`375`	`377`	`proxy: s.url,`
`376`	`378`	`tunnel: false`
`377`	`379`	`},`
`@@ -388,6 +390,7 @@ function addTests () {`
`388`	`390`	`'https->http over http, tunnel=default',`
`389`	`391`	`{`
`390`	`392`	`url: ss.url + '/redirect/http',`
	`393`	`+ allowInsecureRedirect: true,`
`391`	`394`	`proxy: s.url`
`392`	`395`	`},`
`393`	`396`	`[`