SSRF Cross Protocol Redirect Bypass
When using the
ssrfFilter works is that is creates its own object that cna be used in=place of Node’s default request agent for http/http requests. As the agent it can apply SSRF filtering at a relatively low level making it harder to bypass, but it depends on being able to control the agent the higher-level library (in this case the Request library) is using. When there is a cross-protocol redirect like from http to https, the Request library will delete the existing agent (and later replacing it with the default one). This needs to happen because the default agent can only work for one protocol. However this also means that if someone sets the antiSSRF library’s agent to be used, simply by redirecting across protocols the filtering can be disabled.
The authors also looked at a couple other libraries, finding that
node-fetch was not vulnerable as it didn’t support cross-protocol redirects, and
axios configuration take sin separate http and https agents, though notably an application can forget to set one of the agents and have a similar bypass.