Description
Describe the bug
Axios is vulnerable to a Server-Side Request Forgery attack caused by unexpected behaviour where requests for path relative URLS gets processed as protocol relative URLs.
This could be leveraged by an attacker to perform arbitrary requests from the server, potentially accessing internal systems or exfiltrating sensitive data.
To Reproduce
In this vulnerable code snippet, the developer intended to invoke a path relative to the base URL, however it allows an attacker to craft a malicious protocol-relative URL which is then requested by the server. Given protocol-relative URLs are not relevant server-side as there is no protocol to be relative to, the expected result would be an error. Instead, a valid URL is produced and requested.
Example Vulnerable Code
const axios = require('axios');
this.axios = axios.create({
baseURL: 'https://userapi.example.com',
});
//userId = '12345';
userId = '/google.com'
this.axios.get(`/${userId}`).then(function (response) {
console.log(`config.baseURL: ${response.config.baseURL}`);
console.log(`config.method: ${response.config.method}`);
console.log(`config.url: ${response.config.url}`);
console.log(`res.responseUrl: ${response.request.res.responseUrl}`);
});Expected Output (Prior to axios 1.3.2):
(node:10243) UnhandledPromiseRejectionWarning: TypeError [ERR_INVALID_URL]: Invalid URL: //example.orgDeveloper might also have expected:
config.baseURL: https://userapi.example.com
config.method: get
config.url: https://userapi.example.com//www.google.com/
res.responseUrl: https://userapi.example.com//www.google.com/Observed Output:
config.baseURL: https://userapi.example.com
config.method: get
config.url: //google.com
res.responseUrl: http://www.google.com/This behaviour is potentially unexpected and introduces the potential for attackers to request URLs on arbitrary hosts other than the host in the base URL.
The code related to parsing and preparing the URL for server-side requests, prior to version 1.3.2, only passed one argument to the Node.js URL class.
const fullPath = buildFullPath(config.baseURL, config.url);
const parsed = new URL(fullPath);
const protocol = parsed.protocol || supportedProtocols[0];Version 1.3.2 introduced http://localhost as a base URL for relative paths (#5458)
const fullPath = buildFullPath(config.baseURL, config.url);
const parsed = new URL(fullPath, 'http://localhost');
const protocol = parsed.protocol || supportedProtocols[0];As protocol-relative URLs are considered to be absolute, the config.baseURL value is ignored so protocol-relative URLs are passed to the URL class without a protocol. The node.js URL class will then prepend the protocol from 'http://localhost' to the protocol-relative URL.
For example
> new URL('//google.com', 'https://example.org');
URL {
href: 'https://google.com/',
...
}
> new URL('//google.com', 'file://example.org');
URL {
href: 'file://google.com/',
...
}Code snippet
No response
Expected behavior
An error could be raised when attempting to request protocol-relative URLs server-side as unlike in a client-side browser session, there is no established protocol to be relative to.
Axios Version
No response
Adapter Version
No response
Browser
No response
Browser Version
No response
Node.js Version
No response
OS
No response
Additional Library Versions
No response
Additional context/Screenshots
No response