Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix(Headers): don't forward secure headers on protocol change #1599

Merged
merged 2 commits into from Jul 18, 2022
Merged

fix(Headers): don't forward secure headers on protocol change #1599

merged 2 commits into from Jul 18, 2022

Conversation

max-stytch
Copy link
Contributor

Purpose

Resolves https://www.huntr.dev/bounties/db31e05b-ff10-4057-81a3-37445bf161cd/ by validating that the URL protocol remains the same when determining whether to send secure headers on a redirect.
This prevents MITM attacks from sniffing secure headers when a redirect downgrades a https:// to a http://

Changes

Adds an additional check to the redirect follow step to determine whether to send secure headers or not.

Additional information

  • I updated readme
  • I added unit test(s)

@max-stytch max-stytch mentioned this pull request Jul 7, 2022
Merged
@jimmywarting jimmywarting requested review from gr2m and LinusU July 12, 2022 16:32
gr2m
gr2m approved these changes Jul 16, 2022
View reviewed changes
Copy link
Collaborator

@gr2m gr2m left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

great PR 👍🏼

@jimmywarting jimmywarting merged commit e87b093 into node-fetch:main Jul 18, 2022
@github-actions
Copy link

🎉 This PR is included in version 3.2.9 🎉

The release is available on:

Your semantic-release bot 📦🚀

@victal
Copy link

victal commented Jul 19, 2022

Sorry if this is the wrong place to ask, but since this PR is a fix for a security issue, will (or should) it be backported to the 2.x branch as it was done for #1449?

Is this done automatically or should I (or someone else interested in the fix) open another PR targeting the 2.x branch for that?

victal pushed a commit to victal/node-fetch that referenced this pull request Jul 19, 2022
fix(headers): don't forward secure headers on protocol change
0d08bad 
backport for node-fetch#1599 to the 2.x branch
@jimmywarting
Copy link
Collaborator

if you @victal could create a PR to the v2 branch then that would be grate!

@victal victal mentioned this pull request Jul 19, 2022
Merged
2 tasks
@victal
Copy link

victal commented Jul 19, 2022

Just created #1605 for it, thanks!

jimmywarting pushed a commit that referenced this pull request Jul 19, 2022
@victal
fix(headers): don't forward secure headers on protocol change (#1605)
fddad0e 
backport for #1599 to the 2.x branch

Co-authored-by: Guilherme Victal <guilherme.a@dasa.com.br>
@data-sync-user data-sync-user mentioned this pull request Oct 12, 2023
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@gr2m gr2m gr2m approved these changes

@jimmywarting jimmywarting jimmywarting approved these changes

@NotMoni NotMoni NotMoni approved these changes

@LinusU LinusU Awaiting requested review from LinusU

Assignees
No one assigned
Labels
released
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
5 participants
@max-stytch @victal @jimmywarting @gr2m @NotMoni