Added option "allowInsecureRedirect"

doyensec · Mar 12, 2023 · d423321 · d423321
1 parent 3c0cddc
commit d423321
Show file tree

Hide file tree

Showing 3 changed files with 21 additions and 3 deletions.
diff --git a/lib/redirect.js b/lib/redirect.js
@@ -14,6 +14,7 @@ function Redirect (request) {
   this.redirects = []
   this.redirectsFollowed = 0
   this.removeRefererHeader = false
+  this.allowInsecureRedirect = false
 }
 
 Redirect.prototype.onRequest = function (options) {
@@ -40,6 +41,9 @@ Redirect.prototype.onRequest = function (options) {
   if (options.followOriginalHttpMethod !== undefined) {
     self.followOriginalHttpMethod = options.followOriginalHttpMethod
   }
+  if (options.allowInsecureRedirect !== undefined) {
+    self.allowInsecureRedirect = options.allowInsecureRedirect;
+  }
 }
 
 Redirect.prototype.redirectTo = function (response) {
@@ -108,7 +112,7 @@ Redirect.prototype.onResponse = function (response) {
   request.uri = url.parse(redirectTo)
 
   // handle the case where we change protocol from https to http or vice versa
-  if (request.uri.protocol !== uriPrev.protocol) {
+  if (request.uri.protocol !== uriPrev.protocol && self.allowInsecureRedirect) {
     delete request.agent
   }
 

diff --git a/tests/test-httpModule.js b/tests/test-httpModule.js
@@ -70,7 +70,8 @@ function runTests (name, httpModules) {
   tape(name, function (t) {
     var toHttps = 'http://localhost:' + plainServer.port + '/to_https'
     var toPlain = 'https://localhost:' + httpsServer.port + '/to_plain'
-    var options = { httpModules: httpModules, strictSSL: false }
+    var options = { httpModules: httpModules, strictSSL: false, allowInsecureRedirect: true }
+    var optionsSecure = { httpModules: httpModules, strictSSL: false }
     var modulesTest = httpModules || {}
 
     clearFauxRequests()

diff --git a/tests/test-redirect.js b/tests/test-redirect.js
@@ -345,7 +345,8 @@ tape('http to https redirect', function (t) {
   hits = {}
   request.get({
     uri: require('url').parse(s.url + '/ssl'),
-    rejectUnauthorized: false
+    rejectUnauthorized: false,
+    allowInsecureRedirect: true
   }, function (err, res, body) {
     t.equal(err, null)
     t.equal(res.statusCode, 200)
@@ -354,6 +355,18 @@ tape('http to https redirect', function (t) {
   })
 })
 
+tape('http to https redirect should fail without the explicit "allowInsecureRedirect" option', function (t) {
+  hits = {}
+  request.get({
+    uri: require('url').parse(s.url + '/ssl'),
+    rejectUnauthorized: false
+  }, function (err, res, body) {
+    t.notEqual(err, null)
+    t.equal(err.code, "ERR_INVALID_PROTOCOL","Failed to cross-protocol redirect")
+    t.end()
+  })
+})
+
 tape('should have referer header by default when following redirect', function (t) {
   request.post({
     uri: s.url + '/temp',