Proposal: Change default follow_redirects to false for http_client output (Prevent SSRF) #402
Description
We've identified a potential Server-Side Request Forgery (SSRF) vulnerability tied to the Benthos http_client output component.
Currently, the follow_redirects configuration defaults to true. If Benthos is configured to interact with an external or semi-trusted endpoint, and that endpoint gets compromised or behaves maliciously, it can return a 3xx redirect pointing to an internal, non-public address (e.g., an internal API, or cloud metadata services like 169.254.169.254). Because Benthos follows redirects by default, it will unknowingly execute the SSRF attack against the internal network.
To align with a "secure-by-default" posture, we propose changing the default value of follow_redirects from true to false across all HTTP-based components. Users who genuinely need to follow redirects should be required to explicitly opt-in by setting follow_redirects: true in their configuration.
We acknowledge that changing this default is a breaking change that will likely disrupt users who implicitly rely on the current redirect behavior.
If changing the component-level default immediately is not feasible due to backward compatibility, a few alternatives could be:
- Target for next v5 release
- Linter Warning: Update the lint command to emit a warning when an HTTP component is defined without an explicit follow_redirects value, encouraging users to make a conscious choice.
We are currently exploring workarounds on our end (such as CI/CD linting), but we believe fixing this at the core would benefit the entire community by removing a subtle but significant security footgun.