Merge pull request #2389 from nspcc-dev/oracle/auto-redirect

services: forbid https -> http Oracle request auto-redirect
nspcc-dev · May 11, 2022 · f3802c3 · f3802c3
2 parents d158811 + d88ca10
commit f3802c3
Showing 1 changed file with 4 additions and 0 deletions.
diff --git a/pkg/services/oracle/network.go b/pkg/services/oracle/network.go
@@ -90,6 +90,10 @@ func getDefaultClient(cfg config.OracleConfiguration) *http.Client {
 		if len(via) > maxRedirections { // from https://github.com/neo-project/neo-modules/pull/698
 			return fmt.Errorf("%w: %d redirections are reached", ErrRestrictedRedirect, maxRedirections)
 		}
+		if len(via) > 0 && via[0].URL.Scheme == "https" && req.URL.Scheme != "https" {
+			lastHop := via[len(via)-1].URL
+			return fmt.Errorf("%w: redirected from secure URL %s to insecure URL %s", ErrRestrictedRedirect, lastHop, req.URL)
+		}
 		return nil
 	}
 	return &client