Hotfix: Prevent SSRF (#3410)

* Reproducing the Vulnerability

* Prevent SSRF

* Cleanup

* Refactor to skip duplicate code

* Tests for correct passed data.

* Code review changes.

lib/adapters/http.js

@@ -16,6 +16,31 @@ var enhanceError = require('../core/enhanceError');
 
 var isHttps = /https:?/;
 
+/**
+ *
+ * @param {http.ClientRequestArgs} options
+ * @param {AxiosProxyConfig} proxy
+ * @param {string} location
+ */
+function setProxy(options, proxy, location) {
+  options.hostname = proxy.host;
+  options.host = proxy.host;
+  options.port = proxy.port;
+  options.path = location;
+
+  // Basic proxy authorization
+  if (proxy.auth) {
+    var base64 = Buffer.from(proxy.auth.username + ':' + proxy.auth.password, 'utf8').toString('base64');
+    options.headers['Proxy-Authorization'] = 'Basic ' + base64;
+  }
+
+  // If a proxy is used, any redirects must also pass through the proxy
+  options.beforeRedirect = function beforeRedirect(redirection) {
+    redirection.headers.host = redirection.host;
+    setProxy(redirection, proxy, redirection.href);
+  };
+}
+
 /*eslint consistent-return:0*/
 module.exports = function httpAdapter(config) {
   return new Promise(function dispatchHttpRequest(resolvePromise, rejectPromise) {
@@ -145,17 +170,8 @@ module.exports = function httpAdapter(config) {
     }
 
     if (proxy) {
-      options.hostname = proxy.host;
-      options.host = proxy.host;
       options.headers.host = parsed.hostname + (parsed.port ? ':' + parsed.port : '');
-      options.port = proxy.port;
+      setProxy(options, proxy, protocol + '//' + parsed.hostname + (parsed.port ? ':' + parsed.port : '') + options.path);
-      options.path = protocol + '//' + parsed.hostname + (parsed.port ? ':' + parsed.port : '') + options.path;
-
-      // Basic proxy authorization
-      if (proxy.auth) {
-        var base64 = Buffer.from(proxy.auth.username + ':' + proxy.auth.password, 'utf8').toString('base64');
-        options.headers['Proxy-Authorization'] = 'Basic ' + base64;
-      }
     }
 
     var transport;

test/unit/regression/SNYK-JS-AXIOS-1038255.js

@@ -0,0 +1,61 @@
+// https://snyk.io/vuln/SNYK-JS-AXIOS-1038255
+// https://github.com/axios/axios/issues/3407
+// https://github.com/axios/axios/issues/3369
+
+const axios = require('../../../index');
+const http = require('http');
+const assert = require('assert');
+
+const PROXY_PORT = 4777;
+const EVIL_PORT = 4666;
+
+
+describe('Server-Side Request Forgery (SSRF)', () => {
+  let fail = false;
+  let proxy;
+  let server;
+  let location;
+  beforeEach(() => {
+    server = http.createServer(function (req, res) {
+      fail = true;
+      res.end('rm -rf /');
+    }).listen(EVIL_PORT);
+    proxy = http.createServer(function (req, res) {
+      if (req.url === 'http://localhost:' + EVIL_PORT + '/') {
+        return res.end(JSON.stringify({
+          msg: 'Protected',
+          headers: req.headers,
+        }));
+      }
+      res.writeHead(302, { location })
+      res.end()
+    }).listen(PROXY_PORT);
+  });
+  afterEach(() => {
+    server.close();
+    proxy.close();
+  });
+  it('obeys proxy settings when following redirects', async () => {
+    location = 'http://localhost:' + EVIL_PORT;
+    let response = await axios({
+      method: "get",
+      url: "http://www.google.com/",
+      proxy: {
+        host: "localhost",
+        port: PROXY_PORT,
+        auth: {
+          username: 'sam',
+          password: 'password',
+        }
+      },
+    });
+
+    assert.strictEqual(fail, false);
+    assert.strictEqual(response.data.msg, 'Protected');
+    assert.strictEqual(response.data.headers.host, 'localhost:' + EVIL_PORT);
+    assert.strictEqual(response.data.headers['proxy-authorization'], 'Basic ' + Buffer.from('sam:password').toString('base64'));
+
+    return response;
+
+  });
+});