someone can use req.url like '//10.10.10.10' to make SSRF attack, cause the host in headers is not expected.

[KaixinChen0512]

when someone use fast-proxy like:

const base = 'http://somewhere.com'
const { proxy, close } = require('fast-proxy')({
      base
})

and give the req.url like "//10.10.10.10/", the result of getReqUrl method is:

URL {
  href: 'http://10.10.10.10/',
  origin: 'http://10.10.10.10',
  protocol: 'http:',
  username: '',
  password: '',
  host: '10.10.10.10',
  hostname: '10.10.10.10',
  port: '',
  pathname: '/',
  search: '',
  searchParams: URLSearchParams {},
  hash: '' }

but the result we expected is:

URL {
  href: 'http://somewhere.com/',
  origin: 'http://somewhere.com',
  protocol: 'http:',
  username: '',
  password: '',
  host: 'somewhere.com',
  hostname: 'somewhere.com',
  port: '',
  pathname: '/',
  search: '',
  searchParams: URLSearchParams {},
  hash: '' }

it can be used to make SSRF attack.
so i suggest to pollyfill the method getResUrl:

when we give new URL instance, we need to exclude some source that begin with '//', to make it like '/'.

[jkyberneees]

Hi @KaixinChen0512, many thanks for reporting this issue, I will follow up on this and let you know ASAP.

Regards

[jkyberneees]

This issue was fixed in https://github.com/fastify/fast-proxy/releases/tag/v1.8.0.

Many thanks again for reporting!!!