hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2025-12-17 09:13:20 +01:00
Code Issues Packages Projects Releases Wiki Activity
Files
tausbn/python-add-models-for-zstd-compression
codeql/javascript/ql/test/experimental/Security/CWE-918/check-domain.js
valeria-meli 0b5c8909dd tests
2021-08-03 18:00:49 -03:00

34 lines
773 B
JavaScript
Raw Permalink Blame History

// native modules
const url = require('url');
// dependencies
const axios = require('axios');
const express = require('express');
// constants
const VALID_DOMAINS = ['example.com', 'example-2.com'];
// start
const app = express();
app.get('/check-with-axios', req => {
// without validation
const url = req.query.url;
axios.get(url); //SSRF
// validating domain only
const decodedURI = decodeURIComponent(req.query.url);
const { hostname } = url.parse(decodedURI);
const { hostname } = url.parse(decodedURI);
if (isValidDomain(hostname, validDomains)) {
axios.get(req.query.url); //SSRF
}
});
const isValidDomain = (hostname, validDomains) => (
validDomains.some(domain => (
hostname === domain || hostname.endsWith(`.${domain}`))
)
);
Reference in New Issue View Git Blame Copy Permalink