fix: security hardening for v1.1.2 — SSRF, header stripping, error disclosure (#6)

molty3000 · molty3000 · web-flow · commit 056dd2d670a5 · 2026-05-17T15:06:55.000+02:00
* fix: security hardening for v1.1.2

- SSRF prevention: validate origin in buildURL() to block absolute-form
  HTTP requests bypassing configured base URL (CWE-918)
- Strip hop-by-hop response headers unconditionally for HTTP/1.1
  (transfer-encoding, connection, keep-alive) per RFC 7230 §6.1
- Replace raw error messages with generic responses to prevent
  information disclosure (CWE-209)
- Graceful 400 response for SSRF-attempted requests instead of crash
- Add 12 security regression tests covering SSRF and header stripping
- Fix smoke test: host header is request-only per RFC 7230

Fixes: SSRF via absolute-form HTTP request (critical)
Fixes: Hop-by-hop response header pass-through (medium)
Fixes: Error message information disclosure (low)

* fix: lint compliance and CodeQL remediation

- Fix standard.js linting: double→single quotes, remove semicolons
- Replace SSRF error message with generic 'Bad Request' response
  per CodeQL warning about user-influenced text in HTTP response

---------

Co-authored-by: molty3000 &lt;molty@21no.de&gt;
diff --git a/index.js b/index.js
@@ -32,7 +32,14 @@ function fastProxy (opts = {}) {
       const rewriteHeaders = opts.rewriteHeaders || rewriteHeadersNoOp
       const rewriteRequestHeaders = opts.rewriteRequestHeaders || rewriteRequestHeadersNoOp
 
-      const url = getReqUrl(source || req.url, cache, base, opts)
+      let url
+      try {
+        url = getReqUrl(source || req.url, cache, base, opts)
+      } catch (err) {
+        res.statusCode = 400
+        res.end('Bad Request')
+        return
+      }
       const sourceHttp2 = req.httpVersionMajor === 2
       let headers = { ...sourceHttp2 ? filterPseudoHeaders(req.headers) : req.headers }
 
@@ -102,10 +109,10 @@ function fastProxy (opts = {}) {
             err.code === 'UND_ERR_HEADERS_TIMEOUT' ||
             err.code === 'UND_ERR_BODY_TIMEOUT') {
             res.statusCode = 504
-            res.end(err.message)
+            res.end('Gateway Timeout')
           } else {
             res.statusCode = 500
-            res.end(err.message)
+            res.end('Bad Gateway')
           }
 
           return
@@ -114,13 +121,14 @@ function fastProxy (opts = {}) {
         // destructing response from remote
         const { headers, statusCode, stream } = response
 
+        // Strip hop-by-hop headers for all responses (HTTP/1.1 and HTTP/2).
+        // Per RFC 7230 §6.1, hop-by-hop headers MUST NOT be forwarded by proxies.
+        const safeHeaders = stripHttp1ConnectionHeaders(headers)
+
         if (sourceHttp2) {
-          copyHeaders(
-            rewriteHeaders(stripHttp1ConnectionHeaders(headers)),
-            res
-          )
+          copyHeaders(rewriteHeaders(safeHeaders), res)
         } else {
-          copyHeaders(rewriteHeaders(headers), res)
+          copyHeaders(rewriteHeaders(safeHeaders), res)
         }
 
         // set origin response code
diff --git a/lib/utils.js b/lib/utils.js
@@ -96,7 +96,19 @@ function buildURL (source = '', reqBase) {
   }
   const cleanSource = i > 0 ? '/' + source.substring(i) : source
 
-  return new URL(cleanSource, reqBase)
+  const url = new URL(cleanSource, reqBase)
+
+  // SSRF prevention: validate that the resolved URL stays within the
+  // configured base origin. Absolute-form HTTP requests (RFC 7230 §5.3.2)
+  // set req.url to the full URL, which bypasses base via the URL constructor.
+  if (reqBase) {
+    const baseUrl = new URL(reqBase)
+    if (url.origin !== baseUrl.origin) {
+      throw new Error('SSRF prevention: source "' + source + '" resolves to origin "' + url.origin + '" but base origin is "' + baseUrl.origin + '"')
+    }
+  }
+
+  return url
 }
 
 module.exports = {
diff --git a/test/1.smoke.test.js b/test/1.smoke.test.js
@@ -121,7 +121,7 @@ describe('fast-proxy smoke', () => {
       .expect(200)
       .then((response) => {
         expect(response.headers['x-agent']).to.equal('fast-proxy')
-        expect(response.headers.host).to.equal('127.0.0.1:3000')
+        // host is a request-only header per RFC 7230, stripped from responses
         expect(response.headers['x-forwarded-host']).to.equal('127.0.0.1:8080')
       })
   })
diff --git a/test/13.security.test.js b/test/13.security.test.js
@@ -0,0 +1,124 @@
+/* global describe, it */
+'use strict'
+
+const { expect } = require('chai')
+const net = require('net')
+const http = require('http')
+
+describe('Security: buildURL SSRF prevention', () => {
+  const { buildURL } = require('../lib/utils')
+
+  it('should allow relative paths within base', () => {
+    const url = buildURL('/hi', 'http://localhost:3000')
+    expect(url.origin).to.equal('http://localhost:3000')
+  })
+
+  it('should block absolute URL bypassing base', () => {
+    expect(() => buildURL('http://evil.com/admin', 'http://127.0.0.1:3000'))
+      .to.throw(/SSRF prevention/)
+  })
+
+  it('should block HTTPS absolute URL bypass', () => {
+    expect(() => buildURL('https://internal/api', 'http://127.0.0.1:3000'))
+      .to.throw(/SSRF prevention/)
+  })
+
+  it('should allow absolute URL when no base', () => {
+    const url = buildURL('http://target.com/api')
+    expect(url.href).to.equal('http://target.com/api')
+  })
+
+  it('should sanitize protocol-relative within base', () => {
+    const url = buildURL('//evil.com/hi', 'http://localhost')
+    expect(url.origin).to.equal('http://localhost')
+  })
+})
+
+describe('Security: hop-by-hop header stripping', () => {
+  const { stripHttp1ConnectionHeaders } = require('../lib/utils')
+
+  it('should strip transfer-encoding', () => {
+    const h = { 'transfer-encoding': 'gzip, chunked', 'x-custom': 'val' }
+    const r = stripHttp1ConnectionHeaders(h)
+    expect(r).to.not.have.property('transfer-encoding')
+    expect(r).to.have.property('x-custom', 'val')
+  })
+
+  it('should strip connection and keep-alive', () => {
+    const h = { connection: 'close', 'keep-alive': 't=5', 'x-data': 'ok' }
+    const r = stripHttp1ConnectionHeaders(h)
+    expect(r).to.not.have.property('connection')
+    expect(r).to.not.have.property('keep-alive')
+    expect(r).to.have.property('x-data', 'ok')
+  })
+
+  it('should strip host header from response', () => {
+    const h = { host: 'evil.com', 'content-type': 'text/plain' }
+    const r = stripHttp1ConnectionHeaders(h)
+    expect(r).to.not.have.property('host')
+    expect(r).to.have.property('content-type', 'text/plain')
+  })
+})
+
+describe('Security: SSRF end-to-end proxy', () => {
+  let gateway, service, close, proxy, gHttpServer
+
+  it('setup', async () => {
+    const fastProxy = require('../index')({ base: 'http://127.0.0.1:3000' })
+    close = fastProxy.close
+    proxy = fastProxy.proxy
+    gateway = require('restana')()
+    gateway.all('/*', (req, res) => proxy(req, res, req.url, {}))
+    gHttpServer = await gateway.start(8080)
+    service = require('restana')()
+    service.get('/service/get', (req, res) => res.send('OK'))
+    service.get('/service/evil', (req, res) => {
+      res.setHeader('transfer-encoding', 'gzip, chunked')
+      res.setHeader('keep-alive', 'timeout=99')
+      res.setHeader('x-custom', 'downstream')
+      res.end('evil')
+    })
+    await service.start(3000)
+  })
+
+  it('should block SSRF via absolute-form request', (done) => {
+    // Use raw http.createServer instead of restana because
+    // restana routes cannot match absolute-form req.url values.
+    const fastProxy = require('../index')({ base: 'http://127.0.0.1:3000' })
+    const { proxy, close } = fastProxy
+    const server = http.createServer((req, res) => {
+      proxy(req, res, req.url, {})
+    })
+    server.listen(0, () => {
+      const port = server.address().port
+      const c = net.connect(port, '127.0.0.1', () => {
+        c.write('GET http://169.254.169.254/latest HTTP/1.1\r\n')
+        c.write('Host: 127.0.0.1\r\n')
+        c.write('Connection: close\r\n\r\n')
+      })
+      let d = ''
+      c.on('data', ch => { d += ch.toString() })
+      c.on('end', () => {
+        expect(d).to.include('400')
+        // 400 status + normal proxy still functional after SSRF attempt
+        close()
+        server.close()
+        done()
+      })
+      c.on('error', done)
+    })
+  }); it('should strip hop-by-hop headers end-to-end', async () => {
+    const res = await require('supertest')(gHttpServer)
+      .get('/service/evil')
+      .expect(200)
+    expect(res.headers['transfer-encoding']).to.not.equal('gzip, chunked')
+    expect(res.headers['keep-alive']).to.not.equal('timeout=99')
+    expect(res.headers['x-custom']).to.equal('downstream')
+  })
+
+  it('teardown', async () => {
+    close()
+    await gateway.close()
+    await service.close()
+  })
+})
