fix(security): re-validate HttpUriPlugin redirects against allowedUris; enforce http(s) and max redirects

xiaoxiaojx · web-flow · commit 2179fdbcb34f · 2025-12-14T17:11:00.000+03:00
diff --git a/.changeset/secure-http-redirects.md b/.changeset/secure-http-redirects.md
@@ -0,0 +1,5 @@
+---
+"webpack": patch
+---
+
+Re-validate HttpUriPlugin redirects against allowedUris, restrict to http(s) and add a conservative redirect limit to prevent SSRF and untrusted content inclusion. Redirects failing policy are rejected before caching/lockfile writes.
diff --git a/lib/schemes/HttpUriPlugin.js b/lib/schemes/HttpUriPlugin.js
@@ -34,6 +34,8 @@ const memoize = require("../util/memoize");
 const getHttp = memoize(() => require("http"));
 const getHttps = memoize(() => require("https"));
 
+const MAX_REDIRECTS = 5;
+
 /**
  * @param {typeof import("http") | typeof import("https")} request request
  * @param {string | URL | undefined} proxy proxy
@@ -200,6 +202,22 @@ const areLockfileEntriesEqual = (a, b) =>
 const entryToString = (entry) =>
 	`resolved: ${entry.resolved}, integrity: ${entry.integrity}, contentType: ${entry.contentType}`;
 
+/**
+ * Sanitize URL for inclusion in error messages
+ * @param {string} href URL string to sanitize
+ * @returns {string} sanitized URL text for logs/errors
+ */
+const sanitizeUrlForError = (href) => {
+	try {
+		const u = new URL(href);
+		return `${u.protocol}//${u.host}`;
+	} catch (_err) {
+		return String(href)
+			.slice(0, 200)
+			.replace(/[\r\n]/g, "");
+	}
+};
+
 class Lockfile {
 	constructor() {
 		this.version = 1;
@@ -636,12 +654,46 @@ class HttpUriPlugin {
 				};
 
 				for (const { scheme, fetch } of schemes) {
+					/**
+					 * @param {string} location Location header value (relative or absolute)
+					 * @param {string} base current absolute URL
+					 * @returns {string} absolute, validated redirect target
+					 */
+					const validateRedirectLocation = (location, base) => {
+						let nextUrl;
+						try {
+							nextUrl = new URL(location, base);
+						} catch (_err) {
+							throw new Error(
+								`Invalid redirect URL: ${sanitizeUrlForError(location)}`
+							);
+						}
+						if (nextUrl.protocol !== "http:" && nextUrl.protocol !== "https:") {
+							throw new Error(
+								`Redirected URL uses disallowed protocol: ${sanitizeUrlForError(nextUrl.href)}`
+							);
+						}
+						if (!isAllowed(nextUrl.href)) {
+							throw new Error(
+								`${nextUrl.href} doesn't match the allowedUris policy after redirect. These URIs are allowed:\n${allowedUris
+									.map((uri) => ` - ${uri}`)
+									.join("\n")}`
+							);
+						}
+						return nextUrl.href;
+					};
 					/**
 					 * @param {string} url URL
 					 * @param {string | null} integrity integrity
 					 * @param {(err: Error | null, resolveContentResult?: ResolveContentResult) => void} callback callback
+					 * @param {number=} redirectCount number of followed redirects
 					 */
-					const resolveContent = (url, integrity, callback) => {
+					const resolveContent = (
+						url,
+						integrity,
+						callback,
+						redirectCount = 0
+					) => {
 						/**
 						 * @param {Error | null} err error
 						 * @param {FetchResult=} _result fetch result
@@ -653,8 +705,18 @@ class HttpUriPlugin {
 							const result = /** @type {FetchResult} */ (_result);
 
 							if ("location" in result) {
+								// Validate redirect target before following
+								let absolute;
+								try {
+									absolute = validateRedirectLocation(result.location, url);
+								} catch (err_) {
+									return callback(/** @type {Error} */ (err_));
+								}
+								if (redirectCount >= MAX_REDIRECTS) {
+									return callback(new Error("Too many redirects"));
+								}
 								return resolveContent(
-									result.location,
+									absolute,
 									integrity,
 									(err, innerResult) => {
 										if (err) return callback(err);
@@ -665,7 +727,8 @@ class HttpUriPlugin {
 											content,
 											storeLock: storeLock && result.storeLock
 										});
-									}
+									},
+									redirectCount + 1
 								);
 							}
 
@@ -781,9 +844,16 @@ class HttpUriPlugin {
 								res.statusCode >= 301 &&
 								res.statusCode <= 308
 							) {
-								const result = {
-									location: new URL(location, url).href
-								};
+								let absolute;
+								try {
+									absolute = validateRedirectLocation(location, url);
+								} catch (err) {
+									logger.log(
+										`GET ${url} [${res.statusCode}] -> ${String(location)} (rejected: ${/** @type {Error} */ (err).message})`
+									);
+									return callback(/** @type {Error} */ (err));
+								}
+								const result = { location: absolute };
 								if (
 									!cachedResult ||
 									!("location" in cachedResult) ||

-Original file line number
+Diff line change
@@ @@ -0,0 +1,5 @@ @@
 +---
 +"webpack": patch
 +---
++
 +Re-validate HttpUriPlugin redirects against allowedUris, restrict to http(s) and add a conservative redirect limit to prevent SSRF and untrusted content inclusion. Redirects failing policy are rejected before caching/lockfile writes.