Thanks to visit codestin.com
Credit goes to github.com

Skip to content

Commit 095d48c

Browse files
authored
Fix CVE-2023-28155 by patching request module in reaper (#5574)
1 parent f754218 commit 095d48c

2 files changed

Lines changed: 218 additions & 2 deletions

File tree

SPECS/reaper/CVE-2023-28155.patch

Lines changed: 211 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,211 @@
1+
Fixes CVE-2023-28155: https://nvd.nist.gov/vuln/detail/CVE-2023-28155, which is a vulnerability
2+
in the the request module that is used by this package.
3+
4+
Note that request is deprecated (see https://github.com/request/request for details), so this
5+
has not and will never be fixed in the request module itself. However, there is a pull request
6+
that fixes it.
7+
8+
Adapted by [email protected] from a pull request for a patch to request:
9+
https://github.com/request/request/pull/3444/files
10+
11+
From d42332182512e56ba68446f49c3e3711e04301a2 Mon Sep 17 00:00:00 2001
12+
From: <redacted>
13+
Date: Sun, 12 Mar 2023 19:47:24 +0100
14+
Subject: [PATCH 1/5] Added option "allowInsecureRedirect"
15+
16+
---
17+
PATCH NOTE -- ORIGINAL:
18+
lib/redirect.js | 6 +++++-
19+
PATCH NOTE -- UPDATE:
20+
node_modules/request/lib/redirect.js | 6 +++++-
21+
22+
PATCH NOTE: These tests are not included in the module we use, so they are not included in this patch.
23+
tests/test-httpModule.js | 3 ++-
24+
tests/test-redirect.js | 15 ++++++++++++++-
25+
26+
PATCH NOTE -- ORIGINAL:
27+
3 files changed, 21 insertions(+), 3 deletions(-)
28+
PATCH NOTE -- UPDATED:
29+
1 file changed, 5 insertions(+), 1 deletion(-)
30+
31+
# PATCH NOTE -- ORIGINAL:
32+
#diff --git a/lib/redirect.js b/lib/redirect.js
33+
# PATCH NOTE -- UPDATED with path used within the source tarball:
34+
diff --git a/node_modules/request/lib/redirect.js b/node_modules/request/lib/redirect.js
35+
36+
index b9150e77c..770c7f41b 100644
37+
# PATCH NOTE -- ORIGINAL:
38+
# --- a/lib/redirect.js
39+
# +++ b/lib/redirect.js
40+
# PATCH NOTE -- UPDATED with path used within the source tarball:
41+
--- a/node_modules/request/lib/redirect.js
42+
+++ b/node_modules/request/lib/redirect.js
43+
44+
@@ -14,6 +14,7 @@ function Redirect (request) {
45+
this.redirects = []
46+
this.redirectsFollowed = 0
47+
this.removeRefererHeader = false
48+
+ this.allowInsecureRedirect = false
49+
}
50+
51+
Redirect.prototype.onRequest = function (options) {
52+
@@ -40,6 +41,9 @@ Redirect.prototype.onRequest = function (options) {
53+
if (options.followOriginalHttpMethod !== undefined) {
54+
self.followOriginalHttpMethod = options.followOriginalHttpMethod
55+
}
56+
+ if (options.allowInsecureRedirect !== undefined) {
57+
+ self.allowInsecureRedirect = options.allowInsecureRedirect;
58+
+ }
59+
}
60+
61+
Redirect.prototype.redirectTo = function (response) {
62+
@@ -108,7 +112,7 @@ Redirect.prototype.onResponse = function (response) {
63+
request.uri = url.parse(redirectTo)
64+
65+
// handle the case where we change protocol from https to http or vice versa
66+
- if (request.uri.protocol !== uriPrev.protocol) {
67+
+ if (request.uri.protocol !== uriPrev.protocol && self.allowInsecureRedirect) {
68+
delete request.agent
69+
}
70+
71+
# PATCH NOTE: The rest of the diffs are not applied because they are tests and not
72+
# included in the source tarball.
73+
# diff --git a/tests/test-httpModule.js b/tests/test-httpModule.js
74+
# index 4d4e236bf..a59c427b1 100644
75+
# --- a/tests/test-httpModule.js
76+
# +++ b/tests/test-httpModule.js
77+
# @@ -70,7 +70,8 @@ function runTests (name, httpModules) {
78+
# tape(name, function (t) {
79+
# var toHttps = 'http://localhost:' + plainServer.port + '/to_https'
80+
# var toPlain = 'https://localhost:' + httpsServer.port + '/to_plain'
81+
# - var options = { httpModules: httpModules, strictSSL: false }
82+
# + var options = { httpModules: httpModules, strictSSL: false, allowInsecureRedirect: true }
83+
# + var optionsSecure = { httpModules: httpModules, strictSSL: false }
84+
# var modulesTest = httpModules || {}
85+
86+
# clearFauxRequests()
87+
# diff --git a/tests/test-redirect.js b/tests/test-redirect.js
88+
# index b7b5ca676..48b4982e4 100644
89+
# --- a/tests/test-redirect.js
90+
# +++ b/tests/test-redirect.js
91+
# @@ -345,7 +345,8 @@ tape('http to https redirect', function (t) {
92+
# hits = {}
93+
# request.get({
94+
# uri: require('url').parse(s.url + '/ssl'),
95+
# - rejectUnauthorized: false
96+
# + rejectUnauthorized: false,
97+
# + allowInsecureRedirect: true
98+
# }, function (err, res, body) {
99+
# t.equal(err, null)
100+
# t.equal(res.statusCode, 200)
101+
# @@ -354,6 +355,18 @@ tape('http to https redirect', function (t) {
102+
# })
103+
# })
104+
105+
# +tape('http to https redirect should fail without the explicit "allowInsecureRedirect" option', function (t) {
106+
# + hits = {}
107+
# + request.get({
108+
# + uri: require('url').parse(s.url + '/ssl'),
109+
# + rejectUnauthorized: false
110+
# + }, function (err, res, body) {
111+
# + t.notEqual(err, null)
112+
# + t.equal(err.code, "ERR_INVALID_PROTOCOL","Failed to cross-protocol redirect")
113+
# + t.end()
114+
# + })
115+
# +})
116+
# +
117+
# tape('should have referer header by default when following redirect', function (t) {
118+
# request.post({
119+
# uri: s.url + '/temp',
120+
121+
# From 9d69d750f39cc5ab6f3b011e17472bc28b14dc22 Mon Sep 17 00:00:00 2001
122+
# From: Szymon Drosdzol <[email protected]>
123+
# Date: Sun, 12 Mar 2023 19:50:09 +0100
124+
# Subject: [PATCH 2/5] Documented allowInsecureRedirect in Readme
125+
126+
# ---
127+
# README.md | 1 +
128+
# 1 file changed, 1 insertion(+)
129+
130+
# diff --git a/README.md b/README.md
131+
# index 42290d5ce..dd432a768 100644
132+
# --- a/README.md
133+
# +++ b/README.md
134+
# @@ -809,6 +809,7 @@ The first argument can be either a `url` or an `options` object. The only requir
135+
# - `followOriginalHttpMethod` - by default we redirect to HTTP method GET. you can enable this property to redirect to the original HTTP method (default: `false`)
136+
# - `maxRedirects` - the maximum number of redirects to follow (default: `10`)
137+
# - `removeRefererHeader` - removes the referer header when a redirect happens (default: `false`). **Note:** if true, referer header set in the initial request is preserved during redirect chain.
138+
# +- `allowInsecureRedirect` - allows cross-protocol redirects (HTTP to HTTPS and vice versa). **Warning:** may lead to bypassing anti SSRF filters
139+
140+
# ---
141+
142+
143+
# From 8a15249d182e54a261b1539846f76d913a6904f4 Mon Sep 17 00:00:00 2001
144+
# From: SzymonDrosdzol <[email protected]>
145+
# Date: Fri, 17 Mar 2023 10:09:46 +0100
146+
# Subject: [PATCH 3/5] Removed semicolon
147+
148+
# Co-authored-by: legobeat <[email protected]>
149+
# ---
150+
# lib/redirect.js | 2 +-
151+
# 1 file changed, 1 insertion(+), 1 deletion(-)
152+
153+
# diff --git a/lib/redirect.js b/lib/redirect.js
154+
# index 770c7f41b..2864f9f2a 100644
155+
# --- a/lib/redirect.js
156+
# +++ b/lib/redirect.js
157+
# @@ -42,7 +42,7 @@ Redirect.prototype.onRequest = function (options) {
158+
# self.followOriginalHttpMethod = options.followOriginalHttpMethod
159+
# }
160+
# if (options.allowInsecureRedirect !== undefined) {
161+
# - self.allowInsecureRedirect = options.allowInsecureRedirect;
162+
# + self.allowInsecureRedirect = options.allowInsecureRedirect
163+
# }
164+
# }
165+
166+
167+
# From 8535868fc88f24ed652d3f290bfd553a2cdbb811 Mon Sep 17 00:00:00 2001
168+
# From: SzymonDrosdzol <[email protected]>
169+
# Date: Fri, 17 Mar 2023 10:12:09 +0100
170+
# Subject: [PATCH 4/5] Code style fix
171+
172+
# Co-authored-by: Kevin van Rijn <[email protected]>
173+
# ---
174+
# tests/test-redirect.js | 2 +-
175+
# 1 file changed, 1 insertion(+), 1 deletion(-)
176+
177+
# diff --git a/tests/test-redirect.js b/tests/test-redirect.js
178+
# index 48b4982e4..3e1957604 100644
179+
# --- a/tests/test-redirect.js
180+
# +++ b/tests/test-redirect.js
181+
# @@ -362,7 +362,7 @@ tape('http to https redirect should fail without the explicit "allowInsecureRedi
182+
# rejectUnauthorized: false
183+
# }, function (err, res, body) {
184+
# t.notEqual(err, null)
185+
# - t.equal(err.code, "ERR_INVALID_PROTOCOL","Failed to cross-protocol redirect")
186+
# + t.equal(err.code, 'ERR_INVALID_PROTOCOL', 'Failed to cross-protocol redirect')
187+
# t.end()
188+
# })
189+
# })
190+
191+
# From 43647c4bd6e451f350267d5236463b4248dbc8df Mon Sep 17 00:00:00 2001
192+
# From: SzymonDrosdzol <[email protected]>
193+
# Date: Fri, 17 Mar 2023 10:22:33 +0100
194+
# Subject: [PATCH 5/5] Removed leftover declaration
195+
196+
# ---
197+
# tests/test-httpModule.js | 1 -
198+
# 1 file changed, 1 deletion(-)
199+
200+
# diff --git a/tests/test-httpModule.js b/tests/test-httpModule.js
201+
# index a59c427b1..f12382fe6 100644
202+
# --- a/tests/test-httpModule.js
203+
# +++ b/tests/test-httpModule.js
204+
# @@ -71,7 +71,6 @@ function runTests (name, httpModules) {
205+
# var toHttps = 'http://localhost:' + plainServer.port + '/to_https'
206+
# var toPlain = 'https://localhost:' + httpsServer.port + '/to_plain'
207+
# var options = { httpModules: httpModules, strictSSL: false, allowInsecureRedirect: true }
208+
# - var optionsSecure = { httpModules: httpModules, strictSSL: false }
209+
# var modulesTest = httpModules || {}
210+
211+
# clearFauxRequests()

SPECS/reaper/reaper.spec

Lines changed: 7 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -12,7 +12,7 @@
1212

1313
Name: reaper
1414
Version: 3.1.1
15-
Release: 4%{?dist}
15+
Release: 5%{?dist}
1616
Summary: Reaper for cassandra is a tool for running Apache Cassandra repairs against single or multi-site clusters.
1717
License: ASL 2.0
1818
Distribution: Mariner
@@ -41,6 +41,7 @@ Source6: %{local_lib_node_modules}
4141
# v14.18.0 node binary under /usr/local
4242
Source7: %{local_n}
4343
Patch0: CVE-2022-37601.patch
44+
Patch1: CVE-2023-28155.patch
4445

4546
BuildRequires: git
4647
BuildRequires: javapackages-tools
@@ -108,7 +109,8 @@ tar xf %{SOURCE1}
108109

109110
echo "Installing npm_modules"
110111
tar fx %{SOURCE2}
111-
patch -p1 < %{PATCH0}
112+
patch -p1 --input %{PATCH0}
113+
patch -p1 --input %{PATCH1}
112114
popd
113115

114116
# Building using maven in offline mode.
@@ -179,6 +181,9 @@ fi
179181
%{_unitdir}/cassandra-%{name}.service
180182

181183
%changelog
184+
* Thu May 25 2023 Tobias Brick <[email protected]> - 3.1.1-5
185+
- Patch CVE-2023-28155 for request npm module
186+
182187
* Tue May 23 2023 Bala <[email protected]> - 3.1.1-4
183188
- Update CVE-2022-37601.patch to patch two other occurances of the same CVE
184189

0 commit comments

Comments
 (0)