Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

security: non-breaking: Add option "allowInsecureRedirect" #30

Closed
wants to merge 2 commits into from
Closed

security: non-breaking: Add option "allowInsecureRedirect" #30

wants to merge 2 commits into from

Conversation

legobeat
Copy link

@legobeat legobeat commented Mar 25, 2023
edited
Loading

PR Checklist:

  • I have run npm test locally and all tests are passing.
  • I have added/updated tests for any new behavior.
  • If this is a significant change, an issue has already been created where the problem / solution was discussed: CVE-2023-28155 #27

PR Description

  • Ported from Ssrf fix request/request#3444
    • Existing behavior allows malicious redirects between protocols
    • Add new option allowInsecureRedirect where false disables this behavior

This is intended as a non-breaking alternative to #28. The only functional difference is that this version retains the default behavior and allowInsecureRedirect needs to be set explicitly to disable cross-protocol redirects.

@legobeat legobeat mentioned this pull request Mar 25, 2023
Merged
3 tasks
legobeat
legobeat commented Mar 25, 2023
View reviewed changes
tests/test-redirect.js Outdated
@@ -454,6 +455,18 @@ tape('http to https redirect', function (t) {
})
})

tape('http to https redirect should fail without the explicit "allowInsecureRedirect" option', function (t) {
Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

would be good to check for the inverse (https to http) as well if anyone feels up for adding it.

@legobeat legobeat force-pushed the ssrf-allow-insecure-redirect-non-breaking branch from 796f02d to 6d4e013 Compare March 25, 2023 01:19
@legobeat legobeat mentioned this pull request Mar 25, 2023
Closed
@legobeat legobeat marked this pull request as ready for review March 25, 2023 01:22
@legobeat legobeat mentioned this pull request Mar 25, 2023
Closed
TheLandolorien
TheLandolorien approved these changes Aug 1, 2023
View reviewed changes
Copy link

@TheLandolorien TheLandolorien left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM 📦

SzymonDrosdzol and others added 2 commits August 1, 2023 17:35
@SzymonDrosdzol @legobeat
security: breaking: Add option "allowInsecureRedirect"
281e694 
- Addresses CVE-2023-28155
  - Existing behavior allows malicios redirects between protocols
  - Set default behavior to disable this vector (breaking)
  - Add new option `allowInsecureRedirect` where `true` reverts to old
    behavior
- Ported from request#3444
@legobeat
default to allowInsecureRedirect=true
3323308
@legobeat legobeat force-pushed the ssrf-allow-insecure-redirect-non-breaking branch from 6d4e013 to 3323308 Compare August 1, 2023 17:35
@G-Rath G-Rath mentioned this pull request Aug 1, 2023
Merged
3 tasks
@G-Rath
Copy link

G-Rath commented Aug 1, 2023

note that to properly resolve GHSA-p8p7-x288-28g6 this behaviour needs to be enabled by default - given the usecase of this library and that it's a security issue I think it would be fair to argue this is a bug and so valid to change in a patch version with it enabled by default (i.e. #28)

@nagash77 nagash77 self-assigned this Aug 2, 2023
@chrisbreiding
Copy link

Closing in favor of #28

@nagash77 nagash77 removed their assignment Aug 28, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@TheLandolorien TheLandolorien TheLandolorien approved these changes

@ewoelfel ewoelfel ewoelfel approved these changes

@chrisbreiding chrisbreiding Awaiting requested review from chrisbreiding

@AtofStryker AtofStryker Awaiting requested review from AtofStryker

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
7 participants
@legobeat @G-Rath @chrisbreiding @TheLandolorien @ewoelfel @nagash77 @SzymonDrosdzol