CVE-2020-28168: Requests that follow a redirect are not passing via the proxy · Issue #3369 · axios/axios

Describe the bug

In cases where axios is used by servers to perform http requests to user-supplied urls, a proxy is commonly used to protect internal networks from unauthorized access and SSRF. This bug enables an attacker to bypass the proxy by providing a url that responds with a redirect to a restricted host/ip.

To Reproduce

The following code spawns a proxy server that always responds with a 302 redirect, so requests should never reach the target url, however, axios is only reaching the proxy once, and bypassing the proxy after the redirect response.

https://runkit.com/embed/1df5qy8lbgnc

const axios = require(‘axios’) const http = require(‘http’)

const PROXY_PORT = 8080

// A fake proxy server http.createServer(function (req, res) { res.writeHead(302, {location: 'http://example.com’}) res.end() }).listen(PROXY_PORT)

axios({ method: "get", url: "http://www.google.com/", proxy: { host: "localhost", port: PROXY_PORT, }, }) .then(® => console.log(r.data)) .catch(console.error)

The response is the rendered html of http://example.com

Expected behavior

All the requests should pass via the proxy. In the provided scenario, there should be a redirect loop.

Environment

• Axios Version [0.21.0]
• Node.js Version [v12.18.2]

Additional context/Screenshots

Add any other context about the problem here. If applicable, add screenshots to help explain.