From 1b1c91e71d946544d97ccc7cf0ac62b859e03311 Mon Sep 17 00:00:00 2001
From: William Hilton <wmhilton@gmail.com>
Date: Thu, 6 Jan 2022 21:30:39 -0500
Subject: [PATCH] fix(security): don't follow redirects (#10)

---
 azure-pipelines.yml | 2 +-
 bin.js              | 0
 middleware.js       | 7 +++++++
 3 files changed, 8 insertions(+), 1 deletion(-)
 mode change 100644 => 100755 bin.js

diff --git a/azure-pipelines.yml b/azure-pipelines.yml
index 1d864fa..556ea2d 100644
--- a/azure-pipelines.yml
+++ b/azure-pipelines.yml
@@ -2,7 +2,7 @@ jobs:
 - job: Linux
 
   pool:
-    vmImage: 'Ubuntu 16.04'
+    vmImage: 'ubuntu-latest'
 
   steps:
   - task: NodeTool@0
diff --git a/bin.js b/bin.js
old mode 100644
new mode 100755
diff --git a/middleware.js b/middleware.js
index d7f7b16..582a37b 100644
--- a/middleware.js
+++ b/middleware.js
@@ -35,6 +35,7 @@ const exposeHeaders = [
   'etag',
   'expires',
   'last-modified',
+  'location',
   'pragma',
   'server',
   'transfer-encoding',
@@ -125,10 +126,16 @@ module.exports = ({ origin, insecure_origins = [], authorization = noop } = {})
       `${protocol}://${pathdomain}/${remainingpath}`,
       {
         method: req.method,
+        redirect: 'manual',
         headers,
         body: (req.method !== 'GET' && req.method !== 'HEAD') ? req : undefined
       }
     ).then(f => {
+      if (f.headers.has('location')) {
+        // Modify the location so the client continues to use the proxy
+        let newUrl = f.headers.get('location').replace(/^https?:\//, '')
+        f.headers.set('location', newUrl)
+      }
       res.statusCode = f.status
       for (let h of exposeHeaders) {
         if (h === 'content-length') continue