UNPKG

@aikidosec/firewall

Version:

Zen by Aikido is an embedded Web Application Firewall that autonomously protects Node.js apps against common and critical attacks

aikido.dev/zen

AikidoSec/firewall-node

25 lines (24 loc) 1.38 kB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
"use strict"; Object.defineProperty(exports, "__esModule", { value: true }); exports.isRedirectToPrivateIP = isRedirectToPrivateIP; const containsPrivateIPAddress_1 = require("./containsPrivateIPAddress"); const findHostnameInContext_1 = require("./findHostnameInContext"); const getRedirectOrigin_1 = require("./getRedirectOrigin"); /** * This function is called before a outgoing request is made. * It's used to prevent requests to private IP addresses after a redirect with a user-supplied URL (SSRF). * It returns true if the following conditions are met: * - context.outgoingRequestRedirects is set: Inside the context of this incoming request, there was a redirect * - The hostname of the URL contains a private IP address * - The redirect origin, so the user-supplied hostname and port that caused the first redirect, is found in the context of the incoming request */ function isRedirectToPrivateIP(url, context) { if (context.outgoingRequestRedirects && (0, containsPrivateIPAddress_1.containsPrivateIPAddress)(url.hostname)) { const redirectOrigin = (0, getRedirectOrigin_1.getRedirectOrigin)(context.outgoingRequestRedirects, url); if (redirectOrigin) { return (0, findHostnameInContext_1.findHostnameInContext)(redirectOrigin.hostname, context, parseInt(redirectOrigin.port, 10)); } } return undefined; }