Comments (3)
Here is the discussion in twitter/x: https://x.com/irsdl/status/1768057917826023568
It seems that all these are resolved as localhost
:
http:google.com
http/:google.com
http\:google.com
from axios.
You can fix this security vulnerability by modifying the code a bit:
const express = require('express');
const axios = require('axios');
const app = express();
const port = 80;
app.get('/', async (req, res) => {
const whitelist = ['voorivex.team'];
try {
const { url } = req.query;
const parsedUrl = new URL(url);
if (whitelist.includes(parsedUrl.hostname)) {
const response = await axios.get(parsedUrl.href);
res.json(response.data);
} else {
res.status(403).send('Forbidden: Hostname not in whitelist');
}
} catch (error) {
if (error.request) {
res.status(500).send('Internal Server Error');
} else {
res.status(400).send('Bad Request: Invalid URL');
}
}
});
app.get('/admin', async (req, res) => {
const clientIP = req.ip;
if (clientIP === '::1' || clientIP === '127.0.0.1' || clientIP === '::ffff:127.0.0.1') {
res.send("Welcome to admin panel!")
} else {
res.status(403).send('Forbidden');
}
})
app.listen(port, () => {
console.log(`Server is running on http://localhost:${port}`);
});
Changing axios.get(url)
to axios.get(parsedUrl.href)
fixes this issue. You can use this fix for now. I am working on an actual fix in axios right now. Thank you to @Osb0rn3 for bringing this up!
from axios.
I have done some testing, and I have come to a conclusion. This problem is already fixed in the v0.x
branch, and the fix is released in version 0.28
. The fix is also in the v1.x
branch (tested on ab3f0f9
). And the fix will roll out on the next version of axios, most likely 1.6.9
.
This issue should be marked as closed.
from axios.
Related Issues (20)
- vite5+vue3+ts Sending request error SyntaxError: The requested module '/node_modules/.vite/deps/axios.js?v=bc297318' does not provide an export named 'AxiosInstance' HOT 1
- Issue CVEs for vulnerabilities fixed by #6167 and #6163 HOT 1
- How to set localAddress when sending HTTP requests? HOT 2
- API call happening twice, but called once! HOT 3
- RefferenceError: Axios is not defined. HOT 2
- Security vulnerability HOT 2
- postForm's form-data serialization breaks for Blob in Node.js
- Axios stream aborts early during 204 response from prism cli.
- I am getting a error involving CancelToken.js...
- TypeError: Converting circular structure to JSON
- React native Android NETWORK ERROR HOT 1
- Issue with downloading files larger than a few mbs on Chrome specifically HOT 4
- please expose the formDataToStream for public use
- 100% Upload progress on dev mode only.
- XSRF-TOKEN logic should utilize cookie domain instead of current page domain HOT 1
- Question: Rollup configuration with ESM
- Formidable arbitrary file upload vulnerability HOT 1
- ERR_FR_TOO_MANY_REDIRECTS using Axios but not in browser, using curl or python-requests HOT 2
- Cannot read properties of undefined (reading 'prototype') at node_modules/follow-redirects/index.js HOT 1
- Using RawAxiosRequestHeaders cause compiler error
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from axios.