@aikidosec/firewall/sinks/undici/onRedirect.js

Zen by Aikido is an embedded Web Application Firewall that autonomously protects Node.js apps against common and critical attacks

"use strict";
Object.defineProperty(exports, "__esModule", { value: true });
exports.onRedirect = onRedirect;
const Context_1 = require("../../agent/Context");
const findHostnameInContext_1 = require("../../vulnerabilities/ssrf/findHostnameInContext");
const getRedirectOrigin_1 = require("../../vulnerabilities/ssrf/getRedirectOrigin");
/**
 * Is called by wrapOnHeaders if a request results in a redirect.
 * Check for redirects and store them in the context, if they are originating from user input.
 */
function onRedirect(destination, requestContext, context) {
    if (!requestContext) {
        return;
    }
    let redirectOrigin;
    // Check if the source hostname is in the context - is true if it's the first redirect in the chain and the user input is the source
    const found = (0, findHostnameInContext_1.findHostnameInContext)(requestContext.url.hostname, context, requestContext.port);
    // If the source hostname is not in the context, check if it's a redirect in a already existing chain
    if (!found && context.outgoingRequestRedirects) {
        redirectOrigin = (0, getRedirectOrigin_1.getRedirectOrigin)(context.outgoingRequestRedirects, requestContext.url);
    }
    // Get existing redirects or create a new array
    const outgoingRedirects = context.outgoingRequestRedirects || [];
    // If it's 1. a initial redirect with user provided url or 2. a redirect in an existing chain, add it to the context
    if (found || redirectOrigin) {
        outgoingRedirects.push({
            source: requestContext.url,
            destination,
        });
        (0, Context_1.updateContext)(context, "outgoingRequestRedirects", outgoingRedirects);
    }
}