AntiSSRFPolicy with the follow-redirects Library
Introduction
The follow-redirects library is a commonly used request library to extend Node.js http(s) functionality with the ability to automatically follow redirects. The example below shows how you can use the follow-redirects library with the AntiSSRF Node.js library.
Be careful of options that can bypass AntiSSRF protections:
- Changing the
wrapoption could lead to requests without a Node.js agent, and therefore without theAntiSSRFPolicyapplied.- Like the AntiSSRF agents themselves, using a custom
lookupfunction will bypass the IP address validations fromAntiSSRFPolicy.
Example
follow-redirects allows you to make requests either with the option agent, like in normal Node.js requests, or the option agents, with both http and https agents for use in redirects.
Setup
Set up the AntiSSRFPolicy, then get the AntiSSRF agents from the policy.
import { AntiSSRFPolicy, PolicyConfigOptions } from '@microsoft/antissrf';
import { http, https } from "follow-redirects";
// Customize the policy
const policy = new AntiSSRFPolicy(PolicyConfigOptions.ExternalOnlyLatest);
// Get the AntiSSRF agents
const agents = {
httpAgent: policy.getHttpAgent(),
httpsAgent: policy.getHttpsAgent({ keepAlive: true })
}
Use the AntiSSRF Agents for Requests
Every request to an endpoint with untrusted input should include the AntiSSRF agents.
const httpsReq = https.get(
"<some_https_url_constructed_with_untrusted_input>",
{
agents: agents,
auth: {
username: 'janedoe',
password: 's00pers3cret'
}
},
(res) => {
/**
* Will get here if the untrusted URL does NOT direct the request to
* an internal or special-purpose IP address
*/
});
httpsReq.on("error", (err) => {
/**
* Will get here if the untrusted URL directs the request to an internal
* or special-purpose IP address
*/
});
httpsReq.end();
If you want different examples or if you find any bug while using
AntiSSRFPolicywith follow-redirects, please let us know at antissrf-oss@microsoft.com.