Chore/Prevent invalid http redirect (#4990)

prevent invalid http redirect

packages/components/nodes/agentflow/HTTP/HTTP.ts

@@ -1,9 +1,9 @@
 import { ICommonObject, INode, INodeData, INodeParams } from '../../../src/Interface'
-import axios, { AxiosRequestConfig, Method, ResponseType } from 'axios'
+import { AxiosRequestConfig, Method, ResponseType } from 'axios'
 import FormData from 'form-data'
 import * as querystring from 'querystring'
 import { getCredentialData, getCredentialParam } from '../../../src/utils'
-import { checkDenyList } from '../../../src/httpSecurity'
+import { secureAxiosRequest } from '../../../src/httpSecurity'
 
 class HTTP_Agentflow implements INode {
     label: string
@@ -293,8 +293,6 @@ class HTTP_Agentflow implements INode {
             // Build final URL with query parameters
             const finalUrl = queryString ? `${url}${url.includes('?') ? '&' : '?'}${queryString}` : url
 
-            await checkDenyList(finalUrl)
-
             // Prepare request config
             const requestConfig: AxiosRequestConfig = {
                 method: method as Method,
@@ -331,8 +329,8 @@ class HTTP_Agentflow implements INode {
                 }
             }
 
-            // Make the HTTP request
-            const response = await axios(requestConfig)
+            // Make the secure HTTP request that validates all URLs in redirect chains
+            const response = await secureAxiosRequest(requestConfig)
 
             // Process response based on response type
             let responseData

packages/components/nodes/tools/RequestsDelete/core.ts

@@ -1,7 +1,6 @@
 import { z } from 'zod'
-import fetch from 'node-fetch'
 import { DynamicStructuredTool } from '../OpenAPIToolkit/core'
-import { checkDenyList } from '../../../src/httpSecurity'
+import { secureFetch } from '../../../src/httpSecurity'
 
 export const desc = `Use this when you need to execute a DELETE request to remove data from a website.`
 
@@ -166,11 +165,8 @@ export class RequestsDeleteTool extends DynamicStructuredTool {
             finalUrl = url.toString()
         }
 
-        // Check if URL is allowed by security policy
-        await checkDenyList(finalUrl)
-
         try {
-            const res = await fetch(finalUrl, {
+            const res = await secureFetch(finalUrl, {
                 method: 'DELETE',
                 headers: requestHeaders
             })

packages/components/nodes/tools/RequestsGet/core.ts

@@ -1,7 +1,6 @@
 import { z } from 'zod'
-import fetch from 'node-fetch'
 import { DynamicStructuredTool } from '../OpenAPIToolkit/core'
-import { checkDenyList } from '../../../src/httpSecurity'
+import { secureFetch } from '../../../src/httpSecurity'
 
 export const desc = `Use this when you need to execute a GET request to get data from a website.`
 
@@ -166,11 +165,8 @@ export class RequestsGetTool extends DynamicStructuredTool {
             finalUrl = url.toString()
         }
 
-        // Check if URL is allowed by security policy
-        await checkDenyList(finalUrl)
-
         try {
-            const res = await fetch(finalUrl, {
+            const res = await secureFetch(finalUrl, {
                 headers: requestHeaders
             })
 

packages/components/nodes/tools/RequestsPost/core.ts

@@ -1,7 +1,6 @@
 import { z } from 'zod'
-import fetch from 'node-fetch'
 import { DynamicStructuredTool } from '../OpenAPIToolkit/core'
-import { checkDenyList } from '../../../src/httpSecurity'
+import { secureFetch } from '../../../src/httpSecurity'
 
 export const desc = `Use this when you want to execute a POST request to create or update a resource.`
 
@@ -127,10 +126,7 @@ export class RequestsPostTool extends DynamicStructuredTool {
                 ...this.headers
             }
 
-            // Check if URL is allowed by security policy
-            await checkDenyList(inputUrl)
-
-            const res = await fetch(inputUrl, {
+            const res = await secureFetch(inputUrl, {
                 method: 'POST',
                 headers: requestHeaders,
                 body: JSON.stringify(inputBody)

packages/components/nodes/tools/RequestsPut/core.ts

@@ -1,7 +1,6 @@
 import { z } from 'zod'
-import fetch from 'node-fetch'
 import { DynamicStructuredTool } from '../OpenAPIToolkit/core'
-import { checkDenyList } from '../../../src/httpSecurity'
+import { secureFetch } from '../../../src/httpSecurity'
 
 export const desc = `Use this when you want to execute a PUT request to update or replace a resource.`
 
@@ -127,10 +126,7 @@ export class RequestsPutTool extends DynamicStructuredTool {
                 ...this.headers
             }
 
-            // Check if URL is allowed by security policy
-            await checkDenyList(inputUrl)
-
-            const res = await fetch(inputUrl, {
+            const res = await secureFetch(inputUrl, {
                 method: 'PUT',
                 headers: requestHeaders,
                 body: JSON.stringify(inputBody)