UNPKG

@aikidosec/firewall

Version:

Zen by Aikido is an embedded Application Firewall that autonomously protects Node.js apps against common and critical attacks, provides rate limiting, detects malicious traffic (including bots), and more.

aikido.dev/zen

AikidoSec/firewall-node

33 lines (32 loc) 1.69 kB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
"use strict"; Object.defineProperty(exports, "__esModule", { value: true }); exports.onRedirect = onRedirect; const Context_1 = require("../../agent/Context"); const findHostnameInContext_1 = require("../../vulnerabilities/ssrf/findHostnameInContext"); const getRedirectOrigin_1 = require("../../vulnerabilities/ssrf/getRedirectOrigin"); /** * Is called by wrapOnHeaders if a request results in a redirect. * Check for redirects and store them in the context, if they are originating from user input. */ function onRedirect(destination, requestContext, context) { if (!requestContext) { return; } let redirectOrigin; // Check if the source hostname is in the context - is true if it's the first redirect in the chain and the user input is the source const found = (0, findHostnameInContext_1.findHostnameInContext)(requestContext.url.hostname, context, requestContext.port); // If the source hostname is not in the context, check if it's a redirect in a already existing chain if (!found && context.outgoingRequestRedirects) { redirectOrigin = (0, getRedirectOrigin_1.getRedirectOrigin)(context.outgoingRequestRedirects, requestContext.url); } // Get existing redirects or create a new array const outgoingRedirects = context.outgoingRequestRedirects || []; // If it's 1. a initial redirect with user provided url or 2. a redirect in an existing chain, add it to the context if (found || redirectOrigin) { outgoingRedirects.push({ source: requestContext.url, destination, }); (0, Context_1.updateContext)(context, "outgoingRequestRedirects", outgoingRedirects); } }