Thanks to visit codestin.com
Credit goes to github.com

Skip to content

Ssrf fix#3444

Closed
SzymonDrosdzol wants to merge 5 commits into
request:masterfrom
doyensec:SSRF-Fix
Closed

Ssrf fix#3444
SzymonDrosdzol wants to merge 5 commits into
request:masterfrom
doyensec:SSRF-Fix

Conversation

@SzymonDrosdzol

@SzymonDrosdzol SzymonDrosdzol commented Mar 16, 2023

Copy link
Copy Markdown

PR Checklist:

  • [DONE] I have run npm test locally and all tests are passing.
  • [DONE] I have added/updated tests for any new behavior.
  • [DONE] If this is a significant change, an issue has already been created where the problem / solution was discussed: [N/A, or add link to issue here]

PR Description

This pull request is a fix to CVE-2023-28155.

It introduces a new configuration option allowInsecureRedirects, turned off by default. The default configuration leaves library users protected from exploiting CVE-2023-28155. When the option gets turned on, the cross-protocol redirects will be allowed if library user decides it's safe and required in their case.

@phawxby

phawxby commented Mar 16, 2023

Copy link
Copy Markdown

@mikeal @jabrena @mmalecki @eiriksm @reconbot any possibility one of you is available to review and merge this? Our build process is currently broken because of audit failures. Thanks.

legobeat
legobeat reviewed Mar 16, 2023
View reviewed changes
Comment thread lib/redirect.js Outdated
@legobeat legobeat mentioned this pull request Mar 17, 2023
Merged
legobeat added a commit to legobeat/metamask-extension that referenced this pull request Mar 17, 2023
@legobeat
security: patch request for CVE-2023-28155
8d8ab81 
GHSA-p8p7-x288-28g6

Ported from request/request#3444
kevinvanrijn
kevinvanrijn reviewed Mar 17, 2023
View reviewed changes
Comment thread tests/test-httpModule.js Outdated
kevinvanrijn
kevinvanrijn reviewed Mar 17, 2023
View reviewed changes
Comment thread tests/test-redirect.js Outdated
Gudahtt pushed a commit to MetaMask/metamask-extension that referenced this pull request Mar 17, 2023
@legobeat
security: patch request for CVE-2023-28155 (#18208)
c21c2bd 
* security: patch request for CVE-2023-28155

GHSA-p8p7-x288-28g6

Ported from request/request#3444

* add iyarc exclusion
@phawxby phawxby mentioned this pull request Mar 17, 2023
Open
danjm pushed a commit to MetaMask/metamask-extension that referenced this pull request Mar 17, 2023
@legobeat @danjm
security: patch request for CVE-2023-28155 (#18208)
dacdaf0 
* security: patch request for CVE-2023-28155

GHSA-p8p7-x288-28g6

Ported from request/request#3444

* add iyarc exclusion
@phawxby phawxby mentioned this pull request Mar 20, 2023
Open
@tcherel

tcherel commented Mar 22, 2023

Copy link
Copy Markdown

Can we expect an updated request release with this fix soon?
If yes, how soon?
Sorry, just trying to figure out how fast we need to move out of request completely.
Thanks.

@khitrenovich

khitrenovich commented Mar 22, 2023
edited
Loading

Copy link
Copy Markdown

There were no non-doc/tools changes in the repo since 2018 and no commits at all for the last 3 years.
I wouldn't expect any fix coming from here.

Our own dependency on request came from jsforce (which is not gonna get fixed soon, as it looks like), so we migrated to the still-maintained fork from Cypress via Yarn forced resolutions mechanism, and it worked like a charm.

Update: in case somebody missed that, request is deprecated since 2020.

@danilogco

danilogco commented Mar 22, 2023
edited
Loading

Copy link
Copy Markdown

Yeah... It seems like it's not being maintained/updated anymore a long time.

@tcherel

tcherel commented Mar 22, 2023

Copy link
Copy Markdown

Thanks.
Yes, I understand that request is not maintained any longer but since there was this PR created and it got reviewed and approved, I though that, may be, something was going to be released.

@suside

suside commented Mar 23, 2023

Copy link
Copy Markdown

@khitrenovich CVE-2023-28155 was reported on Mar 16, 2023 and the last commit in fork from Cypress is from Jan 11, 2023. It doesn't look like this has been fixed in their fork 🤨

@khitrenovich khitrenovich mentioned this pull request Mar 23, 2023
Closed
@khitrenovich

khitrenovich commented Mar 23, 2023

Copy link
Copy Markdown

@khitrenovich CVE-2023-28155 was reported on Mar 16, 2023 and the last commit in fork from Cypress is from Jan 11, 2023. It doesn't look like this has been fixed in their fork 🤨

@suside You are right... Just opened an issue there, let's see how they respond.

@abbyhu2000 abbyhu2000 mentioned this pull request Mar 23, 2023
Closed
@phawxby

phawxby commented Mar 24, 2023

Copy link
Copy Markdown

@SzymonDrosdzol it might be worth you opening the same CVE against the cypress fork too

legobeat pushed a commit to legobeat/request that referenced this pull request Mar 25, 2023
@SzymonDrosdzol @legobeat
security: breaking: Add option "allowInsecureRedirect"
c61a27f 
- Addresses CVE-2023-28155
  - Existing behavior allows malicios redirects between protocols
  - Set default behavior to disable this vector (breaking)
  - Add new option `allowInsecureRedirect` where `true` reverts to old
    behavior
- Ported from request#3444
@legobeat legobeat mentioned this pull request Mar 25, 2023
Closed
3 tasks
@legobeat

legobeat commented Mar 25, 2023

Copy link
Copy Markdown

I have made two PRs on cypress:

It seems they have an extended test suite handling more complex redirects so if anyone feels up for extending my PRs addressing those cases to get them up to standard, feel free.

@azu azu mentioned this pull request Mar 26, 2023
Merged
@justin-wilxite justin-wilxite mentioned this pull request Mar 26, 2023
Closed
@karanr1990

karanr1990 commented Mar 27, 2023

Copy link
Copy Markdown

is there any alternate library of sforcejs where we do not have dependency on request library ?

@WassimBenzarti WassimBenzarti mentioned this pull request Mar 29, 2023
Closed
@vamsimanohar vamsimanohar mentioned this pull request Mar 30, 2023
Closed
@dboreham dboreham mentioned this pull request Mar 31, 2023
Closed
@github-actions github-actions Bot mentioned this pull request Apr 4, 2023
Open
@gclendinning02 gclendinning02 mentioned this pull request Apr 12, 2023
Closed
@RyanHipkiss RyanHipkiss mentioned this pull request Apr 18, 2023
Merged
@jeremieSTC

jeremieSTC commented Apr 23, 2023

Copy link
Copy Markdown

Can we expect an updated request release with this fix soon?

If yes, how soon?

Sorry, just trying to figure out how fast we need to move out of request completely.

Thanks.

It would be great if a new version could be released including the fix. I see there was a new version a couple of days ago with the new version of xml2js so I have hope.

@legobeat

legobeat commented Apr 23, 2023
edited
Loading

Copy link
Copy Markdown

@jeremieSTC A couple of years, you mean? See above for alternatives - request itself is unmaintained and I wouldn't be hoping to see further updates.

@reconbot

reconbot commented Apr 23, 2023
edited
Loading

Copy link
Copy Markdown
Contributor

Per the readme and npm deprecation warning.

As of Feb 11th 2020, request is fully deprecated. No new changes are expected to land. In fact, none have landed for some time.

Please use alternative libraries.

@reconbot reconbot closed this Apr 23, 2023
@Scomodev Scomodev mentioned this pull request Apr 28, 2023
Closed
This was referenced May 23, 2023
Closed
Merged
Merged
@github-actions github-actions Bot mentioned this pull request Jun 2, 2023
Closed
@westonphillips westonphillips mentioned this pull request Jun 27, 2023
Open
@darakian darakian mentioned this pull request Jul 13, 2023
Merged
legobeat pushed a commit to legobeat/request that referenced this pull request Aug 1, 2023
@SzymonDrosdzol @legobeat
security: breaking: Add option "allowInsecureRedirect"
281e694 
- Addresses CVE-2023-28155
  - Existing behavior allows malicios redirects between protocols
  - Set default behavior to disable this vector (breaking)
  - Add new option `allowInsecureRedirect` where `true` reverts to old
    behavior
- Ported from request#3444
legobeat pushed a commit to legobeat/request that referenced this pull request Aug 1, 2023
@SzymonDrosdzol @legobeat
security: breaking: Add option "allowInsecureRedirect"
35e023c 
- Addresses CVE-2023-28155
  - Existing behavior allows malicios redirects between protocols
  - Set default behavior to disable this vector (breaking)
  - Add new option `allowInsecureRedirect` where `true` reverts to old
    behavior
- Ported from request#3444
@github-actions github-actions Bot mentioned this pull request Dec 12, 2023
Closed
@pratheeshrussell-qb pratheeshrussell-qb mentioned this pull request Feb 20, 2025
Closed
@pratheeshrussell-qb pratheeshrussell-qb mentioned this pull request Apr 7, 2025
Closed
@github-actions github-actions Bot mentioned this pull request Apr 7, 2025
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

6 more reviewers

@legobeat legobeat legobeat left review comments

@kevinvanrijn kevinvanrijn kevinvanrijn approved these changes

@WassimBenzarti WassimBenzarti WassimBenzarti approved these changes

@nrbarry nrbarry nrbarry approved these changes

@ssathishan ssathishan ssathishan approved these changes

@andyren0110 andyren0110 andyren0110 approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.