You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
A recently-reported CVE in node-fetch (a different package that make-fetch-happen does not depend on) fixes that package to contain similar logic. However, the node-fetch logic also strips the cookie and cookie2 headers (plus the www-authenticate header, which seems odd because that is a server->client header).
This means that any cookies sent with the request in make-fetch-happen will be sent to the redirect target site, even if it has a different request/origin. Certainly this is not a great match for what happens in the browser, as browser cookies are origin-specific. So it seems like this may be a bug/security issue in make-fetch-happen and that it should strip cookie (and I guess cookie2) on cross-domain redirects.
When
Run this code:
import fetch from "make-fetch-happen";
import { createServer } from "http";
const redirectTargetServer = createServer((req, res) => {
console.log("Redirect request Authorization", req.headers.authorization);
console.log("Redirect request Cookie", req.headers.cookie);
res.writeHead(200);
res.end();
});
redirectTargetServer.listen(0, () => {
const redirectTargetPort = redirectTargetServer.address().port;
const redirectSourceServer = createServer((req, res) => {
console.log("Original request Authorization", req.headers.authorization);
console.log("Original request Cookie", req.headers.cookie);
// We redirect to 127.0.0.1 but make the original request to localhost, so that
// the domain names differ.
res.writeHead(302, { Location: `http://127.0.0.1:${redirectTargetPort}` });
res.end();
});
redirectSourceServer.listen(0, async () => {
console.log("Sending request");
await fetch(`http://localhost:${redirectSourceServer.address().port}`, {
headers: { Authorization: "auth", Cookie: "cook" },
});
process.exit(0);
});
});
It prints:
Sending request
Original request Authorization auth
Original request Cookie cook
Redirect request Authorization undefined
Redirect request Cookie cook
You can see that Authorization is stripped on redirect and Cookie is not. (Note that the reproduction deliberately uses localhost for the initial request and 127.0.0.1 for the redirect target; if your system doesn't support connecting to those two names then it may not work.)
Where
All versions of make-fetch-happen
How
Current Behavior
authorization but not cookie is stripped for cross-domain redirects
(I could not find a more specific place to file security issues; I'm sorry if this was the wrong place.)
What / Why
make-fetch-happen
contains code to stripauthorization
headers upon redirect to hosts other than the originally requested host.A recently-reported CVE in
node-fetch
(a different package thatmake-fetch-happen
does not depend on) fixes that package to contain similar logic. However, thenode-fetch
logic also strips thecookie
andcookie2
headers (plus thewww-authenticate
header, which seems odd because that is a server->client header).This means that any cookies sent with the request in
make-fetch-happen
will be sent to the redirect target site, even if it has a different request/origin. Certainly this is not a great match for what happens in the browser, as browser cookies are origin-specific. So it seems like this may be a bug/security issue inmake-fetch-happen
and that it should stripcookie
(and I guesscookie2
) on cross-domain redirects.When
Run this code:
It prints:
You can see that Authorization is stripped on redirect and Cookie is not. (Note that the reproduction deliberately uses
localhost
for the initial request and127.0.0.1
for the redirect target; if your system doesn't support connecting to those two names then it may not work.)Where
All versions of make-fetch-happen
How
Current Behavior
authorization
but notcookie
is stripped for cross-domain redirectsSteps to Reproduce
See above
Expected Behavior
cookie
should probably be stripped tooWho
Not sure what this means
References
https://nvd.nist.gov/vuln/detail/CVE-2022-0235
node-fetch/node-fetch#1449
The text was updated successfully, but these errors were encountered: