From d88ca102c67ab8d7b41e26fb347504341bfc524d Mon Sep 17 00:00:00 2001 From: Anna Shaleva Date: Wed, 11 May 2022 07:23:29 +0300 Subject: [PATCH] services: forbid insecure Oracle request redirects --- pkg/services/oracle/network.go | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/pkg/services/oracle/network.go b/pkg/services/oracle/network.go index b4ee6ef02..9983cdbd7 100644 --- a/pkg/services/oracle/network.go +++ b/pkg/services/oracle/network.go @@ -90,6 +90,10 @@ func getDefaultClient(cfg config.OracleConfiguration) *http.Client { if len(via) > maxRedirections { // from https://github.com/neo-project/neo-modules/pull/698 return fmt.Errorf("%w: %d redirections are reached", ErrRestrictedRedirect, maxRedirections) } + if len(via) > 0 && via[0].URL.Scheme == "https" && req.URL.Scheme != "https" { + lastHop := via[len(via)-1].URL + return fmt.Errorf("%w: redirected from secure URL %s to insecure URL %s", ErrRestrictedRedirect, lastHop, req.URL) + } return nil } return &client