Skip to content
This repository has been archived by the owner on May 3, 2022. It is now read-only.

Redirects should not pass authorization to different domain #27

Merged
merged 3 commits into from
Apr 23, 2020
Merged
Show file tree
Hide file tree
Changes from 1 commit
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
44 changes: 44 additions & 0 deletions __tests__/basics.test.ts
Original file line number Diff line number Diff line change
Expand Up @@ -179,6 +179,50 @@ describe('basics', () => {
done()
})

it('does not pass auth with diff hostname redirects', async done => {
let headers = {
"accept": "application/json",
"authorization": "shhh"
}
let res: httpm.HttpClientResponse = await _http.get(
'https://httpbin.org/redirect-to?url=' +
encodeURIComponent('https://www.httpbin.org/get'),
headers
)

expect(res.message.statusCode).toBe(200)
let body: string = await res.readBody()
let obj: any = JSON.parse(body)
// httpbin "fixes" the casing
expect(obj.headers["Authorization"]).toBeUndefined()
expect(obj.headers["authorization"]).toBeUndefined()
expect(obj.url).toBe('https://www.httpbin.org/get')

done()
})

it('does not pass Auth with diff hostname redirects', async done => {
let headers = {
"Accept": "application/json",
"Authorization": "shhh"
}
let res: httpm.HttpClientResponse = await _http.get(
'https://httpbin.org/redirect-to?url=' +
encodeURIComponent('https://www.httpbin.org/get'),
headers
)

expect(res.message.statusCode).toBe(200)
let body: string = await res.readBody()
let obj: any = JSON.parse(body)
// httpbin "fixes" the casing
expect(obj.headers["Authorization"]).toBeUndefined()
expect(obj.headers["authorization"]).toBeUndefined()
expect(obj.url).toBe('https://www.httpbin.org/get')

done()
})

it('does basic head request', async done => {
let res: httpm.HttpClientResponse = await _http.head(
'http://httpbin.org/get'
Expand Down
10 changes: 10 additions & 0 deletions index.ts
Original file line number Diff line number Diff line change
Expand Up @@ -386,6 +386,16 @@ export class HttpClient {
// which will leak the open socket.
await response.readBody()

// strip authorization header if redirected to a different hostname
Copy link
Member Author

@bryanmacfarlane bryanmacfarlane Apr 23, 2020

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Note that I commented out these lines and confirmed tests failed. Then uncommented and both pass

if (parsedRedirectUrl.hostname !== parsedUrl.hostname) {
for(let header in headers){
// header names are case insensitive
if (header.toLowerCase() === "authorization") {
delete headers[header]
}
}
}

// let's make the request with the new redirectUrl
info = this._prepareRequest(verb, parsedRedirectUrl, headers)
response = await this.requestRaw(info, data)
Expand Down