Hotfix: Prevent SSRF

[timemachine3030]

Fixes vulnerability described in:

• https://snyk.io/vuln/SNYK-JS-AXIOS-1038255
• Closes: Possible bug: Vulnerability SSRF #3407
• Closes: Requests that follow a redirect are not passing via the proxy #3369

Uses a hook in follow-redirects to continue using the proxy if a redirect is encountered.

[udaykor]

Is v0.21.1 free of SSRF?

[chinesedfan]

@timemachine3030 Shared some suggestions with you. Thanks for your quick fixing.

[ArSn]

@timemachine3030 Can you say if this only affected 0.21.0 or prior versions as well?

[timemachine3030]

@ArSn Versions since 0.19.0, when proxy forwarding was added.

The vulnerability is exclusive to Node.js applications making requests through proxy servers.

[ArSn]

Yeah I caught that, thanks!

[dobriai]

Sorry if this is not the right place to ask, but when is the fixed code going to be packaged and published on the NPM repo, so we can actually make use of it? When is the next npm version supposed to come out?

[twistedpair]

Any update on when 0.21.1 tag will will be cut, @jasonsaayman ? We're still waiting on this fix. Thanks!

[kobe0730]

@jasonsaayman When will 0.21.1 tag be released ？Thanks

[jasonsaayman]

@twistedpair, @kobe0730 I have asked Emily to get to this release so it is with her now, I will ask her if she will get to it this week and revert back. Thanks for your patience.

[kobe0730]

@twistedpair, @kobe0730 I have asked Emily to get to this release so it is with her now, I will ask her if she will get to it this week and revert back. Thanks for your patience.
Thanks

[martywins]

@jasonsaayman @emilyemorehouse Sorry to ping but any updates on when we can expect v0.21.1 will be released? Given the CVSS score on this I'm about to breach security SLOs (and judging by the interest from others I am not the only one). Thanks!

[benjoz]

Hello, same issue with my company - could we please release soon ? It will be a nice christmas gift 🙏
Thanks !

[aZaman546]

23480160548544