mirror of
https://github.com/tenrok/axios.git
synced 2026-06-17 19:21:29 +03:00
Jay
ef3711d1b3
* feat: implement prettier and fix all issues * fix: failing tests * fix: implement feedback from codel, ai etc * chore: dont throw in trim function Co-authored-by: cubic-dev-ai[bot] <191113872+cubic-dev-ai[bot]@users.noreply.github.com> * fix: incorrect fix --------- Co-authored-by: cubic-dev-ai[bot] <191113872+cubic-dev-ai[bot]@users.noreply.github.com>
75 lines
1.8 KiB
JavaScript
75 lines
1.8 KiB
JavaScript
// https://snyk.io/vuln/SNYK-JS-AXIOS-1038255
|
|
// https://github.com/axios/axios/issues/3407
|
|
// https://github.com/axios/axios/issues/3369
|
|
|
|
import axios from '../../../index.js';
|
|
import http from 'http';
|
|
import assert from 'assert';
|
|
|
|
const PROXY_PORT = 4777;
|
|
const EVIL_PORT = 4666;
|
|
|
|
describe('Server-Side Request Forgery (SSRF)', () => {
|
|
let fail = false;
|
|
let proxy;
|
|
let server;
|
|
let location;
|
|
beforeEach(() => {
|
|
server = http
|
|
.createServer(function (req, res) {
|
|
fail = true;
|
|
res.end('rm -rf /');
|
|
})
|
|
.listen(EVIL_PORT);
|
|
|
|
proxy = http
|
|
.createServer(function (req, res) {
|
|
if (
|
|
new URL(req.url, 'http://' + req.headers.host).toString() ===
|
|
'http://localhost:' + EVIL_PORT + '/'
|
|
) {
|
|
return res.end(
|
|
JSON.stringify({
|
|
msg: 'Protected',
|
|
headers: req.headers,
|
|
})
|
|
);
|
|
}
|
|
res.writeHead(302, { location });
|
|
res.end();
|
|
})
|
|
.listen(PROXY_PORT);
|
|
});
|
|
afterEach(() => {
|
|
server.close();
|
|
proxy.close();
|
|
});
|
|
|
|
it('obeys proxy settings when following redirects', async () => {
|
|
location = 'http://localhost:' + EVIL_PORT;
|
|
|
|
let response = await axios({
|
|
method: 'get',
|
|
url: 'http://www.google.com/',
|
|
proxy: {
|
|
host: 'localhost',
|
|
port: PROXY_PORT,
|
|
auth: {
|
|
username: 'sam',
|
|
password: 'password',
|
|
},
|
|
},
|
|
});
|
|
|
|
assert.strictEqual(fail, false);
|
|
assert.strictEqual(response.data.msg, 'Protected');
|
|
assert.strictEqual(response.data.headers.host, 'localhost:' + EVIL_PORT);
|
|
assert.strictEqual(
|
|
response.data.headers['proxy-authorization'],
|
|
'Basic ' + Buffer.from('sam:password').toString('base64')
|
|
);
|
|
|
|
return response;
|
|
});
|
|
});
|