Merge pull request from GHSA-q768-x9m6-m9qp

Signed-off-by: Matteo Collina <hello@matteocollina.com>
crysmags · Feb 27, 2024 · 2adf108 · 2adf108
1 parent 2fc0ac0
commit 2adf108
Show file tree

Hide file tree

Showing 4 changed files with 66 additions and 3 deletions.
diff --git a/lib/handler/redirect.js b/lib/handler/redirect.js
@@ -186,7 +186,8 @@ function shouldRemoveHeader (header, removeContent, unknownOrigin) {
   return (
     (header.length === 4 && header.toString().toLowerCase() === 'host') ||
     (removeContent && header.toString().toLowerCase().indexOf('content-') === 0) ||
-    (unknownOrigin && header.length === 13 && header.toString().toLowerCase() === 'authorization')
+    (unknownOrigin && header.length === 13 && header.toString().toLowerCase() === 'authorization') ||
+    (unknownOrigin && header.length === 6 && header.toString().toLowerCase() === 'cookie')
   )
 }
 

diff --git a/test/redirect-request.js b/test/redirect-request.js
@@ -7,7 +7,8 @@ const {
   startRedirectingWithBodyServer,
   startRedirectingChainServers,
   startRedirectingWithoutLocationServer,
-  startRedirectingWithAuthorization
+  startRedirectingWithAuthorization,
+  startRedirectingWithCookie
 } = require('./utils/redirecting-servers')
 const { createReadable, createReadableStream } = require('./utils/stream')
 
@@ -489,3 +490,22 @@ t.test('removes authorization header on third party origin', async t => {
 
   t.equal(body, '')
 })
+
+t.test('removes cookie header on third party origin', async t => {
+  t.plan(1)
+
+  const [server1] = await startRedirectingWithCookie(t, 'a=b')
+  const { body: bodyStream } = await undici.request(`http://${server1}`, {
+    maxRedirections: 10,
+    headers: {
+      cookie: 'a=b'
+    }
+  })
+
+  let body = ''
+  for await (const b of bodyStream) {
+    body += b
+  }
+
+  t.equal(body, '')
+})
diff --git a/test/redirect-stream.js b/test/redirect-stream.js
@@ -7,7 +7,8 @@ const {
   startRedirectingWithBodyServer,
   startRedirectingChainServers,
   startRedirectingWithoutLocationServer,
-  startRedirectingWithAuthorization
+  startRedirectingWithAuthorization,
+  startRedirectingWithCookie
 } = require('./utils/redirecting-servers')
 const { createReadable, createWritable } = require('./utils/stream')
 
@@ -401,3 +402,20 @@ t.test('removes authorization header on third party origin', async t => {
 
   t.equal(body.length, 0)
 })
+
+t.test('removes cookie header on third party origin', async t => {
+  t.plan(1)
+
+  const body = []
+
+  const [server1] = await startRedirectingWithCookie(t, 'a=b')
+  await stream(`http://${server1}`, {
+    maxRedirections: 10,
+    opaque: body,
+    headers: {
+      cookie: 'a=b'
+    }
+  }, ({ statusCode, headers, opaque }) => createWritable(opaque))
+
+  t.equal(body.length, 0)
+})
diff --git a/test/utils/redirecting-servers.js b/test/utils/redirecting-servers.js
@@ -178,6 +178,29 @@ async function startRedirectingWithAuthorization (t, authorization) {
   return [server1, server2]
 }
 
+async function startRedirectingWithCookie (t, cookie) {
+  const server1 = await startServer(t, (req, res) => {
+    if (req.headers.cookie !== cookie) {
+      res.statusCode = 403
+      res.setHeader('Connection', 'close')
+      res.end('')
+      return
+    }
+
+    res.statusCode = 301
+    res.setHeader('Connection', 'close')
+
+    res.setHeader('Location', `http://${server2}`)
+    res.end('')
+  })
+
+  const server2 = await startServer(t, (req, res) => {
+    res.end(req.headers.cookie || '')
+  })
+
+  return [server1, server2]
+}
+
 async function startRedirectingWithRelativePath (t) {
   const server = await startServer(t, (req, res) => {
     res.setHeader('Connection', 'close')
@@ -206,5 +229,6 @@ module.exports = {
   startRedirectingWithoutLocationServer,
   startRedirectingChainServers,
   startRedirectingWithAuthorization,
+  startRedirectingWithCookie,
   startRedirectingWithRelativePath
 }