Requests that follow a redirect are not passing via the proxy

[aSapien]

Describe the bug

In cases where axios is used by servers to perform http requests to user-supplied urls, a proxy is commonly used to protect internal networks from unauthorized access and SSRF. This bug enables an attacker to bypass the proxy by providing a url that responds with a redirect to a restricted host/ip.

To Reproduce

The following code spawns a proxy server that always responds with a 302 redirect, so requests should never reach the target url, however, axios is only reaching the proxy once, and bypassing the proxy after the redirect response.

https://runkit.com/embed/1df5qy8lbgnc

const axios = require('axios')
const http = require('http')

const PROXY_PORT = 8080

// A fake proxy server
http.createServer(function (req, res) { 
    res.writeHead(302, {location: 'http://example.com'})
    res.end()
  }).listen(PROXY_PORT)

axios({
  method: "get",
  url: "http://www.google.com/",
  proxy: {
    host: "localhost",
    port: PROXY_PORT,
  },
})
.then((r) => console.log(r.data))
.catch(console.error)

The response is the rendered html of http://example.com

Expected behavior

All the requests should pass via the proxy. In the provided scenario, there should be a redirect loop.

Environment

• Axios Version [0.21.0]
• Node.js Version [v12.18.2]

Additional context/Screenshots

Add any other context about the problem here. If applicable, add screenshots to help explain.

[marikaner]

I am not 100% sure yet, but I think we are encountering the same issue. I get an getaddrinfo ENOTFOUND error and I think this is due to the fact that the proxy agent is missing in the redirected request. (I will investigate more, though).

[chinesedfan]

@RubenVerborgh Maybe axios should set beforeRedirect of follow-redirects?

[RubenVerborgh]

Yes, that seems to be the case.

[marikaner]

Does anyone have an idea for a workaround?

[marikaner]

I found that this is in fact the cause of our issues. I fixed it for us with a workaround, but an actual fix would be much appreciated.

The workaround is, that in case of an error I set the url of the redirected request in the old config and execute the request again:

axios.request(myConfig).catch(error => {
  if (error.request._isRedirect) {
    return axios.request({
      ...myConfig,
      url: error.request._options.path
    });
  }
});

[christian-kreuzberger-dtx]

Thanks for the workaround!

Just to wrap this up: if we're not using the proxy feature of axios, we should not be affected by this?

[marikaner]

Yes, that is my understanding. Only the combination of proxy + redirects.

[carnil]

CVE-2020-28168 appears to have been assigned to this issue.

[timemachine3030]

Anyone listening on this issue, Code review of #3410 is needed.

[KrayzeeKev]

SourceClear have rated this CVE a 7.5 which means that all our pipelines are failing to build. It'd be really good if #3410 could be merged as we can no longer deploy our software without raising all manner of engagements with corporate security.

[jasonsaayman]

Please see #3410 this will be released in 0.21.1

[mdeknowis]

Hallo, is there any schedule to release 0.21.1, so the vulnerability is fixed and all dependent projects can fix their vulnerabilities?

[mikesir87]

Just as an FYI in case someone comes across this via a Google Search... incognito Chrome windows currently block third-party cookies, which will cause this error. So, either disable the feature (Settings -> Cookies and other site data -> Block third-party cookies in Incognito) or drop out of incognito.

[SergeyKoval]

Looks like in 0.21.1 it is still actual...