fix(security): don't follow redirects (#10)

isomorphic-git · Jan 7, 2022 · 1b1c91e · 1b1c91e
1 parent 617b73f
commit 1b1c91e
Show file tree

Hide file tree

Showing 3 changed files with 8 additions and 1 deletion.
diff --git a/azure-pipelines.yml b/azure-pipelines.yml
@@ -2,7 +2,7 @@ jobs:
 - job: Linux
 
   pool:
-    vmImage: 'Ubuntu 16.04'
+    vmImage: 'ubuntu-latest'
 
   steps:
   - task: NodeTool@0

diff --git a/bin.js b/bin.js
diff --git a/middleware.js b/middleware.js
@@ -35,6 +35,7 @@ const exposeHeaders = [
   'etag',
   'expires',
   'last-modified',
+  'location',
   'pragma',
   'server',
   'transfer-encoding',
@@ -125,10 +126,16 @@ module.exports = ({ origin, insecure_origins = [], authorization = noop } = {})
       `${protocol}://${pathdomain}/${remainingpath}`,
       {
         method: req.method,
+        redirect: 'manual',
         headers,
         body: (req.method !== 'GET' && req.method !== 'HEAD') ? req : undefined
       }
     ).then(f => {
+      if (f.headers.has('location')) {
+        // Modify the location so the client continues to use the proxy
+        let newUrl = f.headers.get('location').replace(/^https?:\//, '')
+        f.headers.set('location', newUrl)
+      }
       res.statusCode = f.status
       for (let h of exposeHeaders) {
         if (h === 'content-length') continue