Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

HTTP authentication leak in redirects #1090

Closed
2 tasks done
joebowbeer opened this issue Feb 25, 2020 · 0 comments · Fixed by #1051
Closed
2 tasks done

HTTP authentication leak in redirects #1090

joebowbeer opened this issue Feb 25, 2020 · 0 comments · Fixed by #1051
Assignees
@szmarczak
Labels
bug Something does not work as it should ✭ help wanted ✭

Comments

@joebowbeer
Copy link

joebowbeer commented Feb 25, 2020
edited

Describe the bug

A custom authorization header, if present, is passed on redirect. This can leak auth tokens, and in many cases requests with unexpected authorization headers will be rejected.

Actual behavior

If a custom authorization header is added to options, and the request is redirected (302), the authorization header will be passed to the redirect location.

In my case, my app was using got to fetch a tarball from npm.pkg.github.com which redirected to pkg.githubusercontent.com, which rejected the request (400).

Expected behavior

curl does not forward custom authorization: https://curl.haxx.se/docs/CVE-2018-1000007.html

It is convenient that got follows redirects by default, but it should not forward authorization headers by default.

Workaround

Add a beforeRedirect hook to remove the authorization header.

Example: https://github.com/joebowbeer/regsync/blob/master/src/util.ts#L54

Checklist

  • I have read the documentation.
  • I have tried my code with the latest version of Node.js and Got.
@szmarczak szmarczak added bug Something does not work as it should ✭ help wanted ✭ labels Feb 25, 2020
@szmarczak szmarczak self-assigned this Feb 25, 2020
@szmarczak szmarczak mentioned this issue Feb 27, 2020
Merged
18 tasks
szmarczak added a commit to szmarczak/got that referenced this issue Feb 29, 2020
@szmarczak
test sindresorhus#1090
cd4b8f5
szmarczak added a commit to szmarczak/got that referenced this issue Mar 3, 2020
@szmarczak
test sindresorhus#1090
d0167e4
szmarczak added a commit to szmarczak/got that referenced this issue Mar 4, 2020
@szmarczak
test sindresorhus#1090
b9e3eb0
@snyk-bot snyk-bot mentioned this issue Apr 23, 2020
Merged
@szmarczak szmarczak mentioned this issue Mar 5, 2021
Closed
2 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@szmarczak szmarczak

Labels
bug Something does not work as it should ✭ help wanted ✭
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Rewrite Got szmarczak/got
2 participants
@joebowbeer @szmarczak