Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix(Headers): don't forward secure headers on protocol change #1599

Merged
merged 2 commits into from
Jul 18, 2022
Merged

fix(Headers): don't forward secure headers on protocol change #1599

merged 2 commits into from
Jul 18, 2022

Conversation

max-stytch
Copy link
Contributor

Purpose

Resolves https://www.huntr.dev/bounties/db31e05b-ff10-4057-81a3-37445bf161cd/ by validating that the URL protocol remains the same when determining whether to send secure headers on a redirect.
This prevents MITM attacks from sniffing secure headers when a redirect downgrades a https:// to a http://

Changes

Adds an additional check to the redirect follow step to determine whether to send secure headers or not.

Additional information

  • I updated readme
  • I added unit test(s)

@max-stytch max-stytch mentioned this pull request Jul 7, 2022
Merged
@jimmywarting jimmywarting requested review from gr2m and LinusU July 12, 2022 16:32
gr2m
gr2m approved these changes Jul 16, 2022
View reviewed changes
Copy link
Collaborator

@gr2m gr2m left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

great PR 👍🏼

@jimmywarting jimmywarting merged commit e87b093 into node-fetch:main Jul 18, 2022
@github-actions
Copy link

🎉 This PR is included in version 3.2.9 🎉

The release is available on:

Your semantic-release bot 📦🚀

@victal
Copy link

victal commented Jul 19, 2022

Sorry if this is the wrong place to ask, but since this PR is a fix for a security issue, will (or should) it be backported to the 2.x branch as it was done for #1449?

Is this done automatically or should I (or someone else interested in the fix) open another PR targeting the 2.x branch for that?

victal pushed a commit to victal/node-fetch that referenced this pull request Jul 19, 2022
fix(headers): don't forward secure headers on protocol change
0d08bad 
backport for node-fetch#1599 to the 2.x branch
@jimmywarting
Copy link
Collaborator

if you @victal could create a PR to the v2 branch then that would be grate!

@victal victal mentioned this pull request Jul 19, 2022
Merged
2 tasks
@victal
Copy link

victal commented Jul 19, 2022

Just created #1605 for it, thanks!

jimmywarting pushed a commit that referenced this pull request Jul 19, 2022
@victal
fix(headers): don't forward secure headers on protocol change (#1605)
fddad0e 
backport for #1599 to the 2.x branch

Co-authored-by: Guilherme Victal <guilherme.a@dasa.com.br>
@data-sync-user data-sync-user mentioned this pull request Oct 12, 2023
Closed
@ali8889 ali8889 mentioned this pull request May 19, 2024
Open
@ntnguyencse ntnguyencse mentioned this pull request May 19, 2024
Open
@mshantanu mshantanu mentioned this pull request May 19, 2024
Open
@ali8889 ali8889 mentioned this pull request May 19, 2024
Open
This was referenced May 20, 2024
Closed
Closed
@mshantanu mshantanu mentioned this pull request May 20, 2024
Open
@ali8889 ali8889 mentioned this pull request May 21, 2024
Open
@mshantanu mshantanu mentioned this pull request May 21, 2024
Open
@snyk-io snyk-io bot mentioned this pull request May 21, 2024
Open
@Bad3r Bad3r mentioned this pull request May 22, 2024
Open
@lockyz lockyz mentioned this pull request May 22, 2024
Closed
@ali8889 ali8889 mentioned this pull request Sep 27, 2024
Open
@mshantanu mshantanu mentioned this pull request Sep 27, 2024
Open
@ali8889 ali8889 mentioned this pull request Sep 27, 2024
Open
@mshantanu mshantanu mentioned this pull request Sep 28, 2024
Open
@ali8889 ali8889 mentioned this pull request Sep 29, 2024
Open
@mshantanu mshantanu mentioned this pull request Sep 29, 2024
Open
@xtrmbuster xtrmbuster mentioned this pull request Sep 29, 2024
Open
@ali8889 ali8889 mentioned this pull request Sep 30, 2024
Open
@mshantanu mshantanu mentioned this pull request Sep 30, 2024
Open
@ali8889 ali8889 mentioned this pull request Sep 30, 2024
Open
This was referenced Oct 1, 2024
Open
Open
This was referenced Oct 2, 2024
Open
Open
@mshantanu mshantanu mentioned this pull request Oct 3, 2024
Open
@ali8889 ali8889 mentioned this pull request Oct 4, 2024
Open
@mshantanu mshantanu mentioned this pull request Oct 4, 2024
Open
@ali8889 ali8889 mentioned this pull request Oct 5, 2024
Open
This was referenced Oct 5, 2024
Open
Open
@WontonSam WontonSam mentioned this pull request Oct 11, 2024
Open
@Sarrac3873 Sarrac3873 mentioned this pull request Oct 17, 2024
Open
@githubgamer112 githubgamer112 mentioned this pull request Oct 25, 2024
Open
@ReneMaetzschker ReneMaetzschker mentioned this pull request Oct 26, 2024
Open
@ali8889 ali8889 mentioned this pull request Oct 30, 2024
Open
@mihaibuzgau mihaibuzgau mentioned this pull request Nov 1, 2024
Open
@ali8889 ali8889 mentioned this pull request Nov 6, 2024
Open
@snyk-io snyk-io bot mentioned this pull request Nov 9, 2024
Open
@mshantanu mshantanu mentioned this pull request Nov 12, 2024
Open
@ali8889 ali8889 mentioned this pull request Nov 13, 2024
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@NotMoni NotMoni NotMoni approved these changes

@jimmywarting jimmywarting jimmywarting approved these changes

@gr2m gr2m gr2m approved these changes

@LinusU LinusU Awaiting requested review from LinusU

Assignees
No one assigned
Labels
released
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
5 participants
@max-stytch @victal @jimmywarting @gr2m @NotMoni