From f460297dafa6ddf1ced9bdacaef8609626a9f392 Mon Sep 17 00:00:00 2001 From: Conner McCall Date: Thu, 13 Feb 2025 09:06:53 -0600 Subject: [PATCH] fix: allow upgrading HTTP to HTTPS for redirects Re: #3142 and #3658 When adding certain podcasts, the server encountered a redirect from an HTTP URL to an HTTPS domain, causing an error that was difficult for end users to diagnose without inspecting logs or HTML. This issue arose due to SSRF security measures that blocked such redirects. Instead of failing in these cases, we now detect when the error is caused by an HTTP-to-HTTPS upgrade. If confirmed, we upgrade the initial URL to HTTPS and resend the request. Since this change does not allow cross-protocol or cross-domain redirections, it remains secure while resolving most of the reported issues. Affected podcasts that are now fixed: - D&D is for Nerds - The New Yorker: The Writer's Voice - New Fiction from The New Yorker - Radiolab --- server/utils/podcastUtils.js | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/server/utils/podcastUtils.js b/server/utils/podcastUtils.js index 485fccfb..1ecb0a75 100644 --- a/server/utils/podcastUtils.js +++ b/server/utils/podcastUtils.js @@ -343,6 +343,14 @@ module.exports.getPodcastFeed = (feedUrl, excludeEpisodeMetadata = false) => { return payload.podcast }) .catch((error) => { + // Check for failures due to redirecting from http to https. If original url was http, upgrade to https and try again + if (error.code === 'ERR_FR_REDIRECTION_FAILURE' && error.cause.code === 'ERR_INVALID_PROTOCOL') { + if (feedUrl.startsWith('http://') && error.request._options.protocol === 'https:') { + Logger.info('Redirection from http to https detected. Upgrading Request', error.request._options.href) + feedUrl = feedUrl.replace('http://', 'https://') + return this.getPodcastFeed(feedUrl, excludeEpisodeMetadata) + } + } Logger.error('[podcastUtils] getPodcastFeed Error', error) return null })