Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

feat: Add allowInsecureRedirect option #28

Merged

Conversation

legobeat
Copy link

@legobeat legobeat commented Mar 25, 2023

PR Checklist:

  • I have run npm test locally and all tests are passing.
  • I have added/updated tests for any new behavior.
  • If this is a significant change, an issue has already been created where the problem / solution was discussed: CVE-2023-28155 #27

PR Description

  • Ported from Ssrf fix request/request#3444
    • Existing behavior allows malicious redirects between protocols
    • Set default behavior to disable protocol downgrade in redirects (breaking)
    • Add new option allowInsecureRedirect where true reverts to old behavior
  • Update cypress tests to use allowInsecureRedirect: true for applicable cases

A non-breaking (and therefore not-safe-by-default) alternative in #30.

@legobeat legobeat mentioned this pull request Mar 25, 2023
@legobeat legobeat force-pushed the ssrf-allow-insecure-redirect branch 5 times, most recently from 06d32fc to bfd8422 Compare March 25, 2023 01:12
@legobeat legobeat marked this pull request as ready for review March 25, 2023 01:22
@legobeat legobeat mentioned this pull request Mar 25, 2023
Copy link

@RedneckMartha RedneckMartha left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I have not unit tested, but changes are simple/minimal and look good.
Note: I don't see this change as breaking. If apps using this package start to break, it's because of incorrect protocol provided OR a potentially malicious redirection. Most concerning is https to http redirect. I'm not sure why http to https is a concern in the security advisory. In any case, this fix plugs the hole and will surface the problem if there is one.

@s100
Copy link

s100 commented May 22, 2023

Is there anything we can do to assist with getting this PR merged and a new version of @cypress/request published? We could really use this security fix downstream and we are trying to avoid creating a fork of your fork just for this. Thank you in advance.

@atomjump
Copy link

I second S100's suggestion. Note: we have been running the version with this patch (made manually) without any issues in some of our products.

SzymonDrosdzol and others added 3 commits August 1, 2023 17:35
- Addresses CVE-2023-28155
  - Existing behavior allows malicios redirects between protocols
  - Set default behavior to disable this vector (breaking)
  - Add new option `allowInsecureRedirect` where `true` reverts to old
    behavior
- Ported from request#3444
@legobeat legobeat force-pushed the ssrf-allow-insecure-redirect branch from bfd8422 to 8625fb6 Compare August 1, 2023 17:35
@legobeat
Copy link
Author

legobeat commented Aug 1, 2023

@nagash77 Have you had a chance to consider this?

@G-Rath
Copy link

G-Rath commented Aug 1, 2023

note that to properly resolve GHSA-p8p7-x288-28g6 this behaviour needs to be enabled by default - given the usecase of this library and that it's a security issue I think it would be fair to argue this is a bug and so valid to change in a patch version with it enabled by default (i.e. this PR, rather than #30)

@nagash77
Copy link

nagash77 commented Aug 2, 2023

Hi @legobeat , we have not had a chance to review this PR. We are currently in a push to get a new major feature out the door but I will try and get some eyes on this in the next couple of weeks. I know that is probably longer than you were hoping for but it is the best we can do at the moment. This library is at the core of Cypress so changes here do have the potential to have wide ranging impacts so this will take awhile to ensure it is safe to merge this change.

I will make sure to keep an eye on this PR so it does not get lost and we can get to a resolution one way or another.

@nagash77 nagash77 self-assigned this Aug 2, 2023
Copy link

@chrisbreiding chrisbreiding left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for this contribution and sorry it's taken so long for us to get around to reviewing it. I discussed this with the team and we decided we want to go forward with this PR, with the more secure option as the default. Since it's breaking, we'll follow semantic versioning and release it as a new major version of this package.

@chrisbreiding chrisbreiding changed the title security: breaking: Add option "allowInsecureRedirect" feat: Add allowInsecureRedirect option Aug 8, 2023
@chrisbreiding chrisbreiding merged commit c5bcf21 into cypress-io:master Aug 8, 2023
@cypress-app-bot
Copy link

🎉 This PR is included in version 3.0.0 🎉

The release is available on:

Your semantic-release bot 📦🚀

@lukehsiao
Copy link

Will there be a new release of cypress itself that bumps this requirement?

https://github.com/cypress-io/cypress/blob/b17043102bcb7bb653efb6526238468c74b4d564/package.json#L75

@MikeMcC399
Copy link

MikeMcC399 commented Aug 8, 2023

@chrisbreiding

Confusingly the 3.0.0 release still shows an old version 2.88.11 in https://github.com/cypress-io/request/blob/v3.0.0/package.json

"version": "2.88.11",

@chrisbreiding
Copy link

Confusingly the 3.0.0 release still shows an old version 2.88.11 in v3.0.0/package.json

@MikeMcC399 That's true. Thanks for pointing that out. Since semantic-release doesn't commit a version change back to the repo after a release, we usually set the version to something that can't be mistaken or the real version, but looks like we didn't do that when this repo was converted to use semantic-release. I'm addressing this in #41.

@chrisbreiding
Copy link

Will there be a new release of cypress itself that bumps this requirement?

@lukehsiao Yes. I'm addressing that in this PR.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Projects
None yet
Development

Successfully merging this pull request may close these issues.