Follow redirection lead to SSRF vulnerability

[aaydin-tr]

Hello everyone I work as a security researcher in a company, A few days ago this is our developers started to use this library For this reason, I did a security research on this library. As a result of the investigation, I have identified an SSRF vulnerability that may be a high priority for us and a critical priority for some users. You used a regex to validate the urls in the Library, that's fine regex works fine as far as I can see but Follow redirect by default makes this regex pointless because the attacker can very simply redirect to the internal network with a valid domain and since the library will follow this redirection, it can send requests to endpoints in the local network. Follow redirect by default must also be false If you update this way, the library will be more secure.

To Reproduce Steps to reproduce the behavior:

1. Create a ngrok session which point your server
2. Create a script(php, java, node, etc) which redirect to any local endpoint you want to trigger
3. Make library request valid ngrok url (eg https://9a64-159-146-10-46.ngrok.io/redirect.php)
4. See the local endpoint is triggered

Screenshots php script would be like this

Response

All tests were done in the latest version of the library

[ospfranco]

Ah, this is indeed troublesome, I will gladly fix it ASAP, but I'm short on time atm, if you could create a PR, I will gladly merge it