Merge pull request #504 from AikidoSec/fix-fetch-new-request

Support fetch(new Request(...))
AikidoSec · Jan 20, 2025 · f80214c · f80214c
2 parents 588f93b + 0c47d31
commit f80214c
Show file tree

Hide file tree

Showing 2 changed files with 39 additions and 1 deletion.
diff --git a/library/sinks/Fetch.test.ts b/library/sinks/Fetch.test.ts
@@ -105,6 +105,14 @@ t.test(
     t.same(agent.getHostnames().asArray(), []);
     agent.getHostnames().clear();
 
+    await fetch(new Request("https://app.aikido.dev"));
+
+    t.same(agent.getHostnames().asArray(), [
+      { hostname: "app.aikido.dev", port: 443, hits: 1 },
+    ]);
+
+    agent.getHostnames().clear();
+
     await runWithContext(context, async () => {
       // Don't await fetch to see how it handles
       // multiple requests at the same time
@@ -156,6 +164,16 @@ t.test(
           "Zen has blocked a server-side request forgery: fetch(...) originating from body.image"
         );
       }
+
+      const error4 = await t.rejects(() =>
+        fetch(new Request("http://localhost:4000/api/internal"))
+      );
+      if (error4 instanceof Error) {
+        t.same(
+          error4.message,
+          "Zen has blocked a server-side request forgery: fetch(...) originating from body.image"
+        );
+      }
     });
 
     await runWithContext(
@@ -258,7 +276,9 @@ t.test(
         ...{ body: { image: redirectUrl.domainTwice } },
       },
       async () => {
-        const error = await t.rejects(() => fetch(redirectUrl.domainTwice));
+        const error = await t.rejects(() =>
+          fetch(new Request(redirectUrl.domainTwice))
+        );
         if (error instanceof Error) {
           t.same(
             // @ts-expect-error Type is not defined

diff --git a/library/sinks/Fetch.ts b/library/sinks/Fetch.ts
@@ -1,3 +1,4 @@
+/* eslint-disable max-lines-per-function */
 import { lookup } from "dns";
 import { Agent } from "../agent/Agent";
 import { getContext } from "../agent/Context";
@@ -37,6 +38,7 @@ export class Fetch implements Wrapper {
 
   inspectFetch(args: unknown[], agent: Agent): InterceptorResult {
     if (args.length > 0) {
+      // URL string
       if (typeof args[0] === "string" && args[0].length > 0) {
         const url = tryParseURL(args[0]);
         if (url) {
@@ -69,6 +71,7 @@ export class Fetch implements Wrapper {
         }
       }
 
+      // URL object
       if (args[0] instanceof URL && args[0].hostname.length > 0) {
         const attack = this.inspectHostname(
           agent,
@@ -79,6 +82,21 @@ export class Fetch implements Wrapper {
           return attack;
         }
       }
+
+      // Request object
+      if (args[0] instanceof Request) {
+        const url = tryParseURL(args[0].url);
+        if (url) {
+          const attack = this.inspectHostname(
+            agent,
+            url.hostname,
+            getPortFromURL(url)
+          );
+          if (attack) {
+            return attack;
+          }
+        }
+      }
     }
 
     return undefined;