Bug#1014054: bullseye-pu: package node-got/11.8.1+~cs53.13.17-3+deb11u1
Package: release.debian.org
Severity: normal
Tags: bullseye
User: release.debian.org@packages.debian.org
Usertags: pu
[ Reason ]
node-got allows redirection to unix sockets (#1013264, CVE-2022-33987)
[ Impact ]
Medium vulnerability: a remote host can redirect a node-got request to a
Unix socket
[ Tests ]
Sadly test aren't enabled: ava was introduced earlier in Debian
[ Risks ]
Low risk:
* patch is trivial
* package is built from TypeScript, then tsc compiler checks for
a lot of errors
[ Checklist ]
[X] *all* changes are documented in the d/changelog
[X] I reviewed all changes and I approve them
[X] attach debdiff against the package in (old)stable
[X] the issue is verified as fixed in unstable
[ Changes ]
Just reject URL starting with "unix:" if original request wasn't a
"unix:" request.
Note that I had to add a typescript change: one ignored error is no more
an error.
Regards,
Yadd
diff --git a/debian/changelog b/debian/changelog
index 9cda1ef..a4bd358 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,10 @@
+node-got (11.8.1+~cs53.13.17-3+deb11u1) bullseye; urgency=medium
+
+ * Team upload
+ * Don't allow redirection to Unix socket (Closes: #1013264, CVE-2022-33987)
+
+ -- Yadd <yadd@debian.org> Wed, 29 Jun 2022 16:30:16 +0200
+
node-got (11.8.1+~cs53.13.17-3) unstable; urgency=medium
* Team upload
diff --git a/debian/patches/CVE-2022-33987.patch b/debian/patches/CVE-2022-33987.patch
new file mode 100644
index 0000000..79c012f
--- /dev/null
+++ b/debian/patches/CVE-2022-33987.patch
@@ -0,0 +1,100 @@
+Description: Don't allow redirect to Unix socket
+Author: Sindre Sorhus <sindresorhus@gmail.com>
+Origin: upstream, https://github.com/sindresorhus/got/commit/bce8ce7d
+Bug: https://github.com/sindresorhus/got/pull/2047
+Bug-Debian: https://bugs.debian.org/1013264
+Forwarded: not-needed
+Reviewed-By: Yadd <yadd@debian.org>
+Last-Update: 2022-06-29
+
+--- a/source/core/index.ts
++++ b/source/core/index.ts
+@@ -2102,6 +2102,16 @@
+ const redirectString = redirectUrl.toString();
+ decodeURI(redirectString);
+
++ // eslint-disable-next-line no-inner-declarations
++ function isUnixSocketURL(url: URL) {
++ return url.protocol === 'unix:' || url.hostname === 'unix';
++ }
++
++ if (!isUnixSocketURL(url) && isUnixSocketURL(redirectUrl)) {
++ this._beforeError(new RequestError('Cannot redirect to UNIX socket', {}, this));
++ return;
++ }
++
+ // Redirecting to a different site, clear sensitive data.
+ if (redirectUrl.hostname !== url.hostname || redirectUrl.port !== url.port) {
+ if ('host' in options.headers) {
+--- a/test/redirects.ts
++++ b/test/redirects.ts
+@@ -1,7 +1,7 @@
+ import test from 'ava';
+ import {Handler} from 'express';
+ import nock = require('nock');
+-import got, {MaxRedirectsError} from '../source';
++import got, {MaxRedirectsError, RequestError} from '../source';
+ import withServer, {withHttpsServer} from './helpers/with-server';
+
+ const reachedHandler: Handler = (_request, response) => {
+@@ -509,3 +509,32 @@
+ t.is(response.body, 'SERVER2');
+ });
+ });
++
++const unixProtocol: Handler = (_request, response) => {
++ response.writeHead(302, {
++ location: 'unix:/var/run/docker.sock:/containers/json'
++ });
++ response.end();
++};
++
++const unixHostname: Handler = (_request, response) => {
++ response.writeHead(302, {
++ location: 'http://unix:/var/run/docker.sock:/containers/json'
++ });
++ response.end();
++};
++
++test('cannot redirect to unix protocol', withServer, async (t, server, got) => {
++ server.get('/protocol', unixProtocol);
++ server.get('/hostname', unixHostname);
++
++ await t.throwsAsync(got('protocol'), {
++ message: 'Cannot redirect to UNIX socket',
++ instanceOf: RequestError
++ });
++
++ await t.throwsAsync(got('hostname'), {
++ message: 'Cannot redirect to UNIX socket',
++ instanceOf: RequestError
++ });
++});
+--- a/test/unix-socket.ts
++++ b/test/unix-socket.ts
+@@ -8,6 +8,13 @@
+ response.end('ok');
+ };
+
++const redirectHandler: Handler = (_request, response) => {
++ response.writeHead(302, {
++ location: 'foo'
++ });
++ response.end();
++};
++
+ if (process.platform !== 'win32') {
+ test('works', withSocketServer, async (t, server) => {
+ server.on('/', okHandler);
+@@ -53,3 +60,11 @@
+ t.is((await got(url)).body, 'ok');
+ });
+ }
++
++test('redirects work', withSocketServer, async (t, server) => {
++ server.on('/', redirectHandler);
++ server.on('/foo', okHandler);
++
++ const url = format('http://unix:%s:%s', server.socketPath, '/');
++ t.is((await got(url)).body, 'ok');
++});
diff --git a/debian/patches/fix-typescript.patch b/debian/patches/fix-typescript.patch
new file mode 100644
index 0000000..02c2e82
--- /dev/null
+++ b/debian/patches/fix-typescript.patch
@@ -0,0 +1,16 @@
+Description: fix typescript
+Author: Yadd <yadd@debian.org>
+Forwarded: not-needed
+Last-Update: 2022-06-29
+
+--- a/source/utils/deprecation-warning.ts
++++ b/source/utils/deprecation-warning.ts
+@@ -7,7 +7,7 @@
+
+ alreadyWarned.add(message);
+
+- // @ts-expect-error Missing types.
++ // @ts-ignore
+ process.emitWarning(`Got: ${message}`, {
+ type: 'DeprecationWarning'
+ });
diff --git a/debian/patches/series b/debian/patches/series
index 2299ad7..52e5121 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -1,3 +1,5 @@
build-source-only.diff
fix-package-json-paths.diff
CVE-2021-33502.patch
+CVE-2022-33987.patch
+fix-typescript.patch
Reply to: