|
| 1 | +Fixes CVE-2023-28155: https://nvd.nist.gov/vuln/detail/CVE-2023-28155, which is a vulnerability |
| 2 | +in the the request module that is used by this package. |
| 3 | + |
| 4 | +Note that request is deprecated (see https://github.com/request/request for details), so this |
| 5 | +has not and will never be fixed in the request module itself. However, there is a pull request |
| 6 | +that fixes it. |
| 7 | + |
| 8 | +Adapted by [email protected] from a pull request for a patch to request: |
| 9 | + https://github.com/request/request/pull/3444/files |
| 10 | + |
| 11 | +From d42332182512e56ba68446f49c3e3711e04301a2 Mon Sep 17 00:00:00 2001 |
| 12 | +From: <redacted> |
| 13 | +Date: Sun, 12 Mar 2023 19:47:24 +0100 |
| 14 | +Subject: [PATCH 1/5] Added option "allowInsecureRedirect" |
| 15 | + |
| 16 | +--- |
| 17 | +PATCH NOTE -- ORIGINAL: |
| 18 | + lib/redirect.js | 6 +++++- |
| 19 | +PATCH NOTE -- UPDATE: |
| 20 | + node_modules/request/lib/redirect.js | 6 +++++- |
| 21 | + |
| 22 | +PATCH NOTE: These tests are not included in the module we use, so they are not included in this patch. |
| 23 | + tests/test-httpModule.js | 3 ++- |
| 24 | + tests/test-redirect.js | 15 ++++++++++++++- |
| 25 | + |
| 26 | +PATCH NOTE -- ORIGINAL: |
| 27 | + 3 files changed, 21 insertions(+), 3 deletions(-) |
| 28 | +PATCH NOTE -- UPDATED: |
| 29 | + 1 file changed, 5 insertions(+), 1 deletion(-) |
| 30 | + |
| 31 | +# PATCH NOTE -- ORIGINAL: |
| 32 | +#diff --git a/lib/redirect.js b/lib/redirect.js |
| 33 | +# PATCH NOTE -- UPDATED with path used within the source tarball: |
| 34 | +diff --git a/node_modules/request/lib/redirect.js b/node_modules/request/lib/redirect.js |
| 35 | + |
| 36 | +index b9150e77c..770c7f41b 100644 |
| 37 | +# PATCH NOTE -- ORIGINAL: |
| 38 | +# --- a/lib/redirect.js |
| 39 | +# +++ b/lib/redirect.js |
| 40 | +# PATCH NOTE -- UPDATED with path used within the source tarball: |
| 41 | +--- a/node_modules/request/lib/redirect.js |
| 42 | ++++ b/node_modules/request/lib/redirect.js |
| 43 | + |
| 44 | +@@ -14,6 +14,7 @@ function Redirect (request) { |
| 45 | + this.redirects = [] |
| 46 | + this.redirectsFollowed = 0 |
| 47 | + this.removeRefererHeader = false |
| 48 | ++ this.allowInsecureRedirect = false |
| 49 | + } |
| 50 | + |
| 51 | + Redirect.prototype.onRequest = function (options) { |
| 52 | +@@ -40,6 +41,9 @@ Redirect.prototype.onRequest = function (options) { |
| 53 | + if (options.followOriginalHttpMethod !== undefined) { |
| 54 | + self.followOriginalHttpMethod = options.followOriginalHttpMethod |
| 55 | + } |
| 56 | ++ if (options.allowInsecureRedirect !== undefined) { |
| 57 | ++ self.allowInsecureRedirect = options.allowInsecureRedirect; |
| 58 | ++ } |
| 59 | + } |
| 60 | + |
| 61 | + Redirect.prototype.redirectTo = function (response) { |
| 62 | +@@ -108,7 +112,7 @@ Redirect.prototype.onResponse = function (response) { |
| 63 | + request.uri = url.parse(redirectTo) |
| 64 | + |
| 65 | + // handle the case where we change protocol from https to http or vice versa |
| 66 | +- if (request.uri.protocol !== uriPrev.protocol) { |
| 67 | ++ if (request.uri.protocol !== uriPrev.protocol && self.allowInsecureRedirect) { |
| 68 | + delete request.agent |
| 69 | + } |
| 70 | + |
| 71 | +# PATCH NOTE: The rest of the diffs are not applied because they are tests and not |
| 72 | +# included in the source tarball. |
| 73 | +# diff --git a/tests/test-httpModule.js b/tests/test-httpModule.js |
| 74 | +# index 4d4e236bf..a59c427b1 100644 |
| 75 | +# --- a/tests/test-httpModule.js |
| 76 | +# +++ b/tests/test-httpModule.js |
| 77 | +# @@ -70,7 +70,8 @@ function runTests (name, httpModules) { |
| 78 | +# tape(name, function (t) { |
| 79 | +# var toHttps = 'http://localhost:' + plainServer.port + '/to_https' |
| 80 | +# var toPlain = 'https://localhost:' + httpsServer.port + '/to_plain' |
| 81 | +# - var options = { httpModules: httpModules, strictSSL: false } |
| 82 | +# + var options = { httpModules: httpModules, strictSSL: false, allowInsecureRedirect: true } |
| 83 | +# + var optionsSecure = { httpModules: httpModules, strictSSL: false } |
| 84 | +# var modulesTest = httpModules || {} |
| 85 | + |
| 86 | +# clearFauxRequests() |
| 87 | +# diff --git a/tests/test-redirect.js b/tests/test-redirect.js |
| 88 | +# index b7b5ca676..48b4982e4 100644 |
| 89 | +# --- a/tests/test-redirect.js |
| 90 | +# +++ b/tests/test-redirect.js |
| 91 | +# @@ -345,7 +345,8 @@ tape('http to https redirect', function (t) { |
| 92 | +# hits = {} |
| 93 | +# request.get({ |
| 94 | +# uri: require('url').parse(s.url + '/ssl'), |
| 95 | +# - rejectUnauthorized: false |
| 96 | +# + rejectUnauthorized: false, |
| 97 | +# + allowInsecureRedirect: true |
| 98 | +# }, function (err, res, body) { |
| 99 | +# t.equal(err, null) |
| 100 | +# t.equal(res.statusCode, 200) |
| 101 | +# @@ -354,6 +355,18 @@ tape('http to https redirect', function (t) { |
| 102 | +# }) |
| 103 | +# }) |
| 104 | + |
| 105 | +# +tape('http to https redirect should fail without the explicit "allowInsecureRedirect" option', function (t) { |
| 106 | +# + hits = {} |
| 107 | +# + request.get({ |
| 108 | +# + uri: require('url').parse(s.url + '/ssl'), |
| 109 | +# + rejectUnauthorized: false |
| 110 | +# + }, function (err, res, body) { |
| 111 | +# + t.notEqual(err, null) |
| 112 | +# + t.equal(err.code, "ERR_INVALID_PROTOCOL","Failed to cross-protocol redirect") |
| 113 | +# + t.end() |
| 114 | +# + }) |
| 115 | +# +}) |
| 116 | +# + |
| 117 | +# tape('should have referer header by default when following redirect', function (t) { |
| 118 | +# request.post({ |
| 119 | +# uri: s.url + '/temp', |
| 120 | + |
| 121 | +# From 9d69d750f39cc5ab6f3b011e17472bc28b14dc22 Mon Sep 17 00:00:00 2001 |
| 122 | +# From: Szymon Drosdzol <[email protected]> |
| 123 | +# Date: Sun, 12 Mar 2023 19:50:09 +0100 |
| 124 | +# Subject: [PATCH 2/5] Documented allowInsecureRedirect in Readme |
| 125 | + |
| 126 | +# --- |
| 127 | +# README.md | 1 + |
| 128 | +# 1 file changed, 1 insertion(+) |
| 129 | + |
| 130 | +# diff --git a/README.md b/README.md |
| 131 | +# index 42290d5ce..dd432a768 100644 |
| 132 | +# --- a/README.md |
| 133 | +# +++ b/README.md |
| 134 | +# @@ -809,6 +809,7 @@ The first argument can be either a `url` or an `options` object. The only requir |
| 135 | +# - `followOriginalHttpMethod` - by default we redirect to HTTP method GET. you can enable this property to redirect to the original HTTP method (default: `false`) |
| 136 | +# - `maxRedirects` - the maximum number of redirects to follow (default: `10`) |
| 137 | +# - `removeRefererHeader` - removes the referer header when a redirect happens (default: `false`). **Note:** if true, referer header set in the initial request is preserved during redirect chain. |
| 138 | +# +- `allowInsecureRedirect` - allows cross-protocol redirects (HTTP to HTTPS and vice versa). **Warning:** may lead to bypassing anti SSRF filters |
| 139 | + |
| 140 | +# --- |
| 141 | + |
| 142 | + |
| 143 | +# From 8a15249d182e54a261b1539846f76d913a6904f4 Mon Sep 17 00:00:00 2001 |
| 144 | +# From: SzymonDrosdzol <[email protected]> |
| 145 | +# Date: Fri, 17 Mar 2023 10:09:46 +0100 |
| 146 | +# Subject: [PATCH 3/5] Removed semicolon |
| 147 | + |
| 148 | +# Co-authored-by: legobeat <[email protected]> |
| 149 | +# --- |
| 150 | +# lib/redirect.js | 2 +- |
| 151 | +# 1 file changed, 1 insertion(+), 1 deletion(-) |
| 152 | + |
| 153 | +# diff --git a/lib/redirect.js b/lib/redirect.js |
| 154 | +# index 770c7f41b..2864f9f2a 100644 |
| 155 | +# --- a/lib/redirect.js |
| 156 | +# +++ b/lib/redirect.js |
| 157 | +# @@ -42,7 +42,7 @@ Redirect.prototype.onRequest = function (options) { |
| 158 | +# self.followOriginalHttpMethod = options.followOriginalHttpMethod |
| 159 | +# } |
| 160 | +# if (options.allowInsecureRedirect !== undefined) { |
| 161 | +# - self.allowInsecureRedirect = options.allowInsecureRedirect; |
| 162 | +# + self.allowInsecureRedirect = options.allowInsecureRedirect |
| 163 | +# } |
| 164 | +# } |
| 165 | + |
| 166 | + |
| 167 | +# From 8535868fc88f24ed652d3f290bfd553a2cdbb811 Mon Sep 17 00:00:00 2001 |
| 168 | +# From: SzymonDrosdzol <[email protected]> |
| 169 | +# Date: Fri, 17 Mar 2023 10:12:09 +0100 |
| 170 | +# Subject: [PATCH 4/5] Code style fix |
| 171 | + |
| 172 | +# Co-authored-by: Kevin van Rijn <[email protected]> |
| 173 | +# --- |
| 174 | +# tests/test-redirect.js | 2 +- |
| 175 | +# 1 file changed, 1 insertion(+), 1 deletion(-) |
| 176 | + |
| 177 | +# diff --git a/tests/test-redirect.js b/tests/test-redirect.js |
| 178 | +# index 48b4982e4..3e1957604 100644 |
| 179 | +# --- a/tests/test-redirect.js |
| 180 | +# +++ b/tests/test-redirect.js |
| 181 | +# @@ -362,7 +362,7 @@ tape('http to https redirect should fail without the explicit "allowInsecureRedi |
| 182 | +# rejectUnauthorized: false |
| 183 | +# }, function (err, res, body) { |
| 184 | +# t.notEqual(err, null) |
| 185 | +# - t.equal(err.code, "ERR_INVALID_PROTOCOL","Failed to cross-protocol redirect") |
| 186 | +# + t.equal(err.code, 'ERR_INVALID_PROTOCOL', 'Failed to cross-protocol redirect') |
| 187 | +# t.end() |
| 188 | +# }) |
| 189 | +# }) |
| 190 | + |
| 191 | +# From 43647c4bd6e451f350267d5236463b4248dbc8df Mon Sep 17 00:00:00 2001 |
| 192 | +# From: SzymonDrosdzol <[email protected]> |
| 193 | +# Date: Fri, 17 Mar 2023 10:22:33 +0100 |
| 194 | +# Subject: [PATCH 5/5] Removed leftover declaration |
| 195 | + |
| 196 | +# --- |
| 197 | +# tests/test-httpModule.js | 1 - |
| 198 | +# 1 file changed, 1 deletion(-) |
| 199 | + |
| 200 | +# diff --git a/tests/test-httpModule.js b/tests/test-httpModule.js |
| 201 | +# index a59c427b1..f12382fe6 100644 |
| 202 | +# --- a/tests/test-httpModule.js |
| 203 | +# +++ b/tests/test-httpModule.js |
| 204 | +# @@ -71,7 +71,6 @@ function runTests (name, httpModules) { |
| 205 | +# var toHttps = 'http://localhost:' + plainServer.port + '/to_https' |
| 206 | +# var toPlain = 'https://localhost:' + httpsServer.port + '/to_plain' |
| 207 | +# var options = { httpModules: httpModules, strictSSL: false, allowInsecureRedirect: true } |
| 208 | +# - var optionsSecure = { httpModules: httpModules, strictSSL: false } |
| 209 | +# var modulesTest = httpModules || {} |
| 210 | + |
| 211 | +# clearFauxRequests() |
0 commit comments