Only ignore base URL if proxy is trusted

Author: hansott

library/helpers/getIPAddressFromRequest.ts

@@ -1,5 +1,6 @@
 import { isIP } from "net";
 import { isPrivateIP } from "../vulnerabilities/ssrf/isPrivateIP";
+import { trustProxy } from "./trustProxy";
 
 export function getIPAddressFromRequest(req: {
   headers: Record<string, unknown>;
@@ -57,16 +58,3 @@ function getClientIpFromXForwardedFor(value: string) {
 
   return null;
 }
-
-function trustProxy() {
-  if (!process.env.AIKIDO_TRUST_PROXY) {
-    // Trust proxy by default
-    // Most of the time, the application is behind a reverse proxy
-    return true;
-  }
-
-  return (
-    process.env.AIKIDO_TRUST_PROXY === "1" ||
-    process.env.AIKIDO_TRUST_PROXY === "true"
-  );
-}

library/helpers/trustProxy.test.ts

@@ -0,0 +1,20 @@
+import * as t from "tap";
+import { trustProxy } from "./trustProxy";
+
+t.beforeEach(() => {
+  delete process.env.AIKIDO_TRUST_PROXY;
+});
+
+t.test("the default is true", async () => {
+  t.equal(trustProxy(), true);
+});
+
+t.test("trust proxy set to false", async () => {
+  process.env.AIKIDO_TRUST_PROXY = "false";
+  t.equal(trustProxy(), false);
+});
+
+t.test("trust proxy set to true", async () => {
+  process.env.AIKIDO_TRUST_PROXY = "true";
+  t.equal(trustProxy(), true);
+});

library/helpers/trustProxy.ts

@@ -0,0 +1,11 @@
+import { envToBool } from "./envToBool";
+
+export function trustProxy() {
+  if (!process.env.AIKIDO_TRUST_PROXY) {
+    // Trust proxy by default
+    // Most of the time, the application is behind a reverse proxy
+    return true;
+  }
+
+  return envToBool(process.env.AIKIDO_TRUST_PROXY);
+}

library/vulnerabilities/ssrf/checkContextForSSRF.ts

@@ -5,6 +5,7 @@ import { SOURCES } from "../../agent/Source";
 import { getPathsToPayload } from "../../helpers/attackPath";
 import { extractStringsFromUserInputCached } from "../../helpers/extractStringsFromUserInputCached";
 import { getPortFromURL } from "../../helpers/getPortFromURL";
+import { trustProxy } from "../../helpers/trustProxy";
 import { tryParseURL } from "../../helpers/tryParseURL";
 import { containsPrivateIPAddress } from "./containsPrivateIPAddress";
 import { findHostnameInUserInput } from "./findHostnameInUserInput";
@@ -33,10 +34,11 @@ export function checkContextForSSRF({
     return;
   }
 
-  if (context.url) {
+  if (trustProxy() && context.url) {
     // We don't want to block outgoing requests to the same host as the server
     // (often happens that we have a match on headers like `Host`, `Origin`, `Referer`, etc.)
     // We have to check the port as well, because the hostname can be the same but with a different port
+    // If Node.js is exposed to the internet, we can't be sure about the Host header
     const baseURL = tryParseURL(context.url);
     if (
       baseURL &&

library/vulnerabilities/ssrf/findHostnameInContext.ts

@@ -3,6 +3,7 @@ import { Source, SOURCES } from "../../agent/Source";
 import { getPathsToPayload } from "../../helpers/attackPath";
 import { extractStringsFromUserInputCached } from "../../helpers/extractStringsFromUserInputCached";
 import { getPortFromURL } from "../../helpers/getPortFromURL";
+import { trustProxy } from "../../helpers/trustProxy";
 import { tryParseURL } from "../../helpers/tryParseURL";
 import { findHostnameInUserInput } from "./findHostnameInUserInput";
 
@@ -19,10 +20,11 @@ export function findHostnameInContext(
   context: Context,
   port: number | undefined
 ): HostnameLocation | undefined {
-  if (context.url) {
+  if (trustProxy() && context.url) {
     // We don't want to block outgoing requests to the same host as the server
     // (often happens that we have a match on headers like `Host`, `Origin`, `Referer`, etc.)
     // We have to check the port as well, because the hostname can be the same but with a different port
+    // If Node.js is exposed to the internet, we can't be sure about the Host header
     const baseURL = tryParseURL(context.url);
     if (
       baseURL &&