Open rymndhng opened 6 years ago
Thanks for reporting this. I looked into clj-http redirect which has some options using http components and clj-http also validates hosts by default. I will try to test this and also use httpbin to produce an unsafe redirect which should be blocked by the library for a test case.
Howdy, wonder if you've considered SSRF through redirects.
For example, if we whitelist 10.x.x.x. An outbound request may ask you to redirect to
Location: 10.x.x.x
, this middleware doesn't protect against it.This is more involved than middleware (you'd have to look at a custom
:redirect-strategy
).