Git Product home page Git Product logo

Comments (3)

irsdl avatar irsdl commented on April 27, 2024 1

Here is the discussion in twitter/x: https://x.com/irsdl/status/1768057917826023568

It seems that all these are resolved as localhost:

  • http:google.com
  • http/:google.com
  • http\:google.com

from axios.

justindhillon avatar justindhillon commented on April 27, 2024

You can fix this security vulnerability by modifying the code a bit:

const express = require('express');
const axios = require('axios');

const app = express();
const port = 80;

app.get('/', async (req, res) => {
    const whitelist = ['voorivex.team'];

    try {
        const { url } = req.query;
        const parsedUrl = new URL(url);

        if (whitelist.includes(parsedUrl.hostname)) {
            const response = await axios.get(parsedUrl.href);
            res.json(response.data);
        } else {
            res.status(403).send('Forbidden: Hostname not in whitelist');
        }
    } catch (error) {
        if (error.request) {
            res.status(500).send('Internal Server Error');
        } else {
            res.status(400).send('Bad Request: Invalid URL');
        }
    }
});

app.get('/admin', async (req, res) => {
    const clientIP = req.ip;
    if (clientIP === '::1' || clientIP === '127.0.0.1' || clientIP === '::ffff:127.0.0.1') {
        res.send("Welcome to admin panel!")
    } else {
        res.status(403).send('Forbidden');
    }
})

app.listen(port, () => {
    console.log(`Server is running on http://localhost:${port}`);
});

Changing axios.get(url) to axios.get(parsedUrl.href) fixes this issue. You can use this fix for now. I am working on an actual fix in axios right now. Thank you to @Osb0rn3 for bringing this up!

from axios.

justindhillon avatar justindhillon commented on April 27, 2024

I have done some testing, and I have come to a conclusion. This problem is already fixed in the v0.x branch, and the fix is released in version 0.28. The fix is also in the v1.x branch (tested on ab3f0f9). And the fix will roll out on the next version of axios, most likely 1.6.9.

This issue should be marked as closed.

from axios.

Related Issues (20)

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google ❤️ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.