SSRF Vulnerability in request function

[LightYagami28]

Issue Description: A potential Server-Side Request Forgery (SSRF) vulnerability was detected in the miniget library. The issue was identified in the file index.js at line 170, where unsanitized input from the document location flows into a request.

Steps to Reproduce: This vulnerability was detected using Snyk Code analysis. The code in question does not adequately validate or sanitize the input, leading to a potential SSRF risk.

Suggested Fix: It is recommended to validate the input URL, potentially by implementing a whitelist of allowed domains or by sanitizing user input before making the request.

References:

• Snyk Documentation on SSRF

[LightYagami28]

Pls fix @fent

[fent]

The link doesn't work. what's the suggested fix for this?

[LightYagami28]

New link: https://learn.snyk.io/lesson/ssrf-server-side-request-forgery/

[fent]

so the suggested fix is to not allow common internal domains such as localhost, 127.0.0.1, 192....., etc? although there could be a custom internal domain

i also looked at other http libraries like got, node-fetch, superagent, and request. only request mitigates around this by not allowing redirects for non-GET requests here