Describe the bug

In cases where axios is used by servers to perform http requests to user-supplied urls, a proxy is commonly used to protect internal networks from unauthorized access and SSRF. This bug enables an attacker to bypass the proxy by providing a url that responds with a redirect to a restricted host/ip.

To Reproduce

The following code spawns a proxy server that always responds with a 302 redirect, so requests should never reach the target url, however, axios is only reaching the proxy once, and bypassing the proxy after the redirect response.

https://runkit.com/embed/1df5qy8lbgnc

const axios = require('axios')
const http = require('http')

const PROXY_PORT = 8080

// A fake proxy server
http.createServer(function (req, res) { 
    res.writeHead(302, {location: 'http://example.com'})
    res.end()
  }).listen(PROXY_PORT)

axios({
  method: "get",
  url: "http://www.google.com/",
  proxy: {
    host: "localhost",
    port: PROXY_PORT,
  },
})
.then((r) => console.log(r.data))
.catch(console.error)

The response is the rendered html of http://example.com

Expected behavior

All the requests should pass via the proxy. In the provided scenario, there should be a redirect loop.

Environment

• Axios Version [0.21.0]
• Node.js Version [v12.18.2]

Additional context/Screenshots

Add any other context about the problem here. If applicable, add screenshots to help explain.