Bug#1003526: Update to close CVE-2022-0536
Hi,
here is a new debdiff to close also CVE-2022-0536
Cheers,
Yadd
diff --git a/debian/changelog b/debian/changelog
index 5bfcaa7..5e881cd 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,11 @@
+node-follow-redirects (1.13.1-1+deb11u1) bullseye; urgency=medium
+
+ * Team upload
+ * Drop Cookie header across domains (Closes: CVE-2022-0155)
+ * Drop confidential headers across schemes (Closes: CVE-2022-0536)
+
+ -- Yadd <yadd@debian.org> Sat, 12 Feb 2022 12:05:01 +0100
+
node-follow-redirects (1.13.1-1) unstable; urgency=medium
* Team upload
diff --git a/debian/patches/CVE-2022-0155.patch b/debian/patches/CVE-2022-0155.patch
new file mode 100644
index 0000000..0e8419f
--- /dev/null
+++ b/debian/patches/CVE-2022-0155.patch
@@ -0,0 +1,22 @@
+Description: Drop Cookie header across domains.
+Author: Ruben Verborgh <ruben@verborgh.org>
+Origin: upstream, https://github.com/follow-redirects/follow-redirects/commit/8b347cbc
+Bug: https://github.com/follow-redirects/follow-redirects/issues/183
+Forwarded: not-needed
+Reviewed-By: Yadd <yadd@debian.org>
+Last-Update: 2022-01-11
+
+--- a/index.js
++++ b/index.js
+@@ -345,9 +345,9 @@
+ var redirectUrlParts = url.parse(redirectUrl);
+ Object.assign(this._options, redirectUrlParts);
+
+- // Drop the Authorization header if redirecting to another host
++ // Drop the confidential headers when redirecting to another domain
+ if (redirectUrlParts.hostname !== previousHostName) {
+- removeMatchingHeaders(/^authorization$/i, this._options.headers);
++ removeMatchingHeaders(/^(?:authorization|cookie)$/i, this._options.headers);
+ }
+
+ // Evaluate the beforeRedirect callback
diff --git a/debian/patches/CVE-2022-0536.patch b/debian/patches/CVE-2022-0536.patch
new file mode 100644
index 0000000..fdb3d11
--- /dev/null
+++ b/debian/patches/CVE-2022-0536.patch
@@ -0,0 +1,99 @@
+Description: Drop confidential headers across schemes
+Author: Ruben Verborgh <ruben@verborgh.org>
+Origin: upstream, https://github.com/follow-redirects/follow-redirects/commit/62e546a9
+Bug: https://github.com/advisories/GHSA-pw2r-vq6v-hr8c
+Forwarded: not-needed
+Reviewed-By: Yadd <yadd@debian.org>
+Last-Update: 2022-02-12
+
+--- a/index.js
++++ b/index.js
+@@ -335,8 +335,9 @@
+ }
+
+ // Drop the Host header, as the redirect might lead to a different host
+- var previousHostName = removeMatchingHeaders(/^host$/i, this._options.headers) ||
+- url.parse(this._currentUrl).hostname;
++ var currentHostHeader = removeMatchingHeaders(/^host$/i, this._options.headers);
++ var currentUrlParts = url.parse(this._currentUrl);
++ var currentHost = currentHostHeader || currentUrlParts.host;
+
+ // Create the redirected request
+ var redirectUrl = url.resolve(this._currentUrl, location);
+@@ -345,8 +346,10 @@
+ var redirectUrlParts = url.parse(redirectUrl);
+ Object.assign(this._options, redirectUrlParts);
+
+- // Drop the confidential headers when redirecting to another domain
+- if (redirectUrlParts.hostname !== previousHostName) {
++ // Drop the Host header, as the redirect might lead to a different host
++ // Drop confidential headers when redirecting to another scheme:domain
++ if (redirectUrlParts.protocol !== currentUrlParts.protocol ||
++ !isSameOrSubdomain(redirectUrlParts.host, currentHost)) {
+ removeMatchingHeaders(/^(?:authorization|cookie)$/i, this._options.headers);
+ }
+
+@@ -499,6 +502,14 @@
+ return CustomError;
+ }
+
++function isSameOrSubdomain(subdomain, domain) {
++ if (subdomain === domain) {
++ return true;
++ }
++ const dot = subdomain.length - domain.length - 1;
++ return dot > 0 && subdomain[dot] === "." && subdomain.endsWith(domain);
++}
++
+ // Exports
+ module.exports = wrap({ http: http, https: https });
+ module.exports.wrap = wrap;
+--- a/test/test.js
++++ b/test/test.js
+@@ -730,6 +730,38 @@
+ });
+ });
+ });
++
++ });
++
++ [
++ "Authorization",
++ "Cookie",
++ ].forEach(function (header) {
++ describe("when the client passes an header named " + header, function () {
++ it("ignores it when null", function () {
++ app.get("/a", redirectsTo(302, "http://localhost:3600/b";));
++ app.get("/b", function (req, res) {
++ res.end(JSON.stringify(req.headers));
++ });
++
++ var opts = url.parse("http://127.0.0.1:3600/a";);
++ opts.headers = { host: "localhost" };
++ opts.headers[header] = null;
++
++ return server.start(app)
++ .then(asPromise(function (resolve, reject) {
++ http.get(opts, resolve).on("error", reject);
++ }))
++ .then(asPromise(function (resolve, reject, res) {
++ res.pipe(concat({ encoding: "string" }, resolve)).on("error", reject);
++ }))
++ .then(function (str) {
++ var body = JSON.parse(str);
++ assert.equal(body.host, "localhost:3600");
++ assert.equal(body[header.toLowerCase()], undefined);
++ });
++ });
++ });
+ });
+
+ describe("should switch to safe methods when appropriate", function () {
+@@ -1237,7 +1269,6 @@
+ .then(function (str) {
+ var body = JSON.parse(str);
+ assert.equal(body.host, "localhost:3600");
+- assert.equal(body.authorization, "bearer my-token-1234");
+ });
+ });
+
diff --git a/debian/patches/series b/debian/patches/series
index a22cf9d..8040424 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -1 +1,3 @@
fix-test.patch
+CVE-2022-0155.patch
+CVE-2022-0536.patch
Reply to: