[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#1003526: Update to close CVE-2022-0536



Hi,

here is a new debdiff to close also CVE-2022-0536

Cheers,
Yadd
diff --git a/debian/changelog b/debian/changelog
index 5bfcaa7..5e881cd 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,11 @@
+node-follow-redirects (1.13.1-1+deb11u1) bullseye; urgency=medium
+
+  * Team upload
+  * Drop Cookie header across domains (Closes: CVE-2022-0155)
+  * Drop confidential headers across schemes (Closes: CVE-2022-0536)
+
+ -- Yadd <yadd@debian.org>  Sat, 12 Feb 2022 12:05:01 +0100
+
 node-follow-redirects (1.13.1-1) unstable; urgency=medium
 
   * Team upload
diff --git a/debian/patches/CVE-2022-0155.patch b/debian/patches/CVE-2022-0155.patch
new file mode 100644
index 0000000..0e8419f
--- /dev/null
+++ b/debian/patches/CVE-2022-0155.patch
@@ -0,0 +1,22 @@
+Description: Drop Cookie header across domains.
+Author: Ruben Verborgh <ruben@verborgh.org>
+Origin: upstream, https://github.com/follow-redirects/follow-redirects/commit/8b347cbc
+Bug: https://github.com/follow-redirects/follow-redirects/issues/183
+Forwarded: not-needed
+Reviewed-By: Yadd <yadd@debian.org>
+Last-Update: 2022-01-11
+
+--- a/index.js
++++ b/index.js
+@@ -345,9 +345,9 @@
+     var redirectUrlParts = url.parse(redirectUrl);
+     Object.assign(this._options, redirectUrlParts);
+ 
+-    // Drop the Authorization header if redirecting to another host
++    // Drop the confidential headers when redirecting to another domain
+     if (redirectUrlParts.hostname !== previousHostName) {
+-      removeMatchingHeaders(/^authorization$/i, this._options.headers);
++      removeMatchingHeaders(/^(?:authorization|cookie)$/i, this._options.headers);
+     }
+ 
+     // Evaluate the beforeRedirect callback
diff --git a/debian/patches/CVE-2022-0536.patch b/debian/patches/CVE-2022-0536.patch
new file mode 100644
index 0000000..fdb3d11
--- /dev/null
+++ b/debian/patches/CVE-2022-0536.patch
@@ -0,0 +1,99 @@
+Description: Drop confidential headers across schemes
+Author: Ruben Verborgh <ruben@verborgh.org>
+Origin: upstream, https://github.com/follow-redirects/follow-redirects/commit/62e546a9
+Bug: https://github.com/advisories/GHSA-pw2r-vq6v-hr8c
+Forwarded: not-needed
+Reviewed-By: Yadd <yadd@debian.org>
+Last-Update: 2022-02-12
+
+--- a/index.js
++++ b/index.js
+@@ -335,8 +335,9 @@
+     }
+ 
+     // Drop the Host header, as the redirect might lead to a different host
+-    var previousHostName = removeMatchingHeaders(/^host$/i, this._options.headers) ||
+-      url.parse(this._currentUrl).hostname;
++    var currentHostHeader = removeMatchingHeaders(/^host$/i, this._options.headers);
++    var currentUrlParts = url.parse(this._currentUrl);
++    var currentHost = currentHostHeader || currentUrlParts.host;
+ 
+     // Create the redirected request
+     var redirectUrl = url.resolve(this._currentUrl, location);
+@@ -345,8 +346,10 @@
+     var redirectUrlParts = url.parse(redirectUrl);
+     Object.assign(this._options, redirectUrlParts);
+ 
+-    // Drop the confidential headers when redirecting to another domain
+-    if (redirectUrlParts.hostname !== previousHostName) {
++    // Drop the Host header, as the redirect might lead to a different host
++    // Drop confidential headers when redirecting to another scheme:domain
++    if (redirectUrlParts.protocol !== currentUrlParts.protocol ||
++       !isSameOrSubdomain(redirectUrlParts.host, currentHost)) {
+       removeMatchingHeaders(/^(?:authorization|cookie)$/i, this._options.headers);
+     }
+ 
+@@ -499,6 +502,14 @@
+   return CustomError;
+ }
+ 
++function isSameOrSubdomain(subdomain, domain) {
++  if (subdomain === domain) {
++    return true;
++  }
++  const dot = subdomain.length - domain.length - 1;
++  return dot > 0 && subdomain[dot] === "." && subdomain.endsWith(domain);
++}
++
+ // Exports
+ module.exports = wrap({ http: http, https: https });
+ module.exports.wrap = wrap;
+--- a/test/test.js
++++ b/test/test.js
+@@ -730,6 +730,38 @@
+           });
+       });
+     });
++
++  });
++
++  [
++    "Authorization",
++    "Cookie",
++  ].forEach(function (header) {
++    describe("when the client passes an header named " + header, function () {
++      it("ignores it when null", function () {
++        app.get("/a", redirectsTo(302, "http://localhost:3600/b";));
++        app.get("/b", function (req, res) {
++          res.end(JSON.stringify(req.headers));
++        });
++
++        var opts = url.parse("http://127.0.0.1:3600/a";);
++        opts.headers = { host: "localhost" };
++        opts.headers[header] = null;
++
++        return server.start(app)
++          .then(asPromise(function (resolve, reject) {
++            http.get(opts, resolve).on("error", reject);
++          }))
++          .then(asPromise(function (resolve, reject, res) {
++            res.pipe(concat({ encoding: "string" }, resolve)).on("error", reject);
++          }))
++          .then(function (str) {
++            var body = JSON.parse(str);
++            assert.equal(body.host, "localhost:3600");
++            assert.equal(body[header.toLowerCase()], undefined);
++          });
++      });
++    });
+   });
+ 
+   describe("should switch to safe methods when appropriate", function () {
+@@ -1237,7 +1269,6 @@
+         .then(function (str) {
+           var body = JSON.parse(str);
+           assert.equal(body.host, "localhost:3600");
+-          assert.equal(body.authorization, "bearer my-token-1234");
+         });
+     });
+ 
diff --git a/debian/patches/series b/debian/patches/series
index a22cf9d..8040424 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -1 +1,3 @@
 fix-test.patch
+CVE-2022-0155.patch
+CVE-2022-0536.patch

Reply to: