diff --git a/index.js b/index.js index b8792f8..c977819 100644 --- a/index.js +++ b/index.js @@ -38,7 +38,7 @@ function sanitizeHeaders(options) { const qUrl = url.parse(queryObject[queryParam]); // external link if protocol || host || port is different - return (qUrl.protocol !== urlObject.protocol || qUrl.host !== urlObject.host || qUrl.port !== urlObject.port); + return (!!qUrl.host && ( qUrl.protocol !== urlObject.protocol || qUrl.host !== urlObject.host || qUrl.port !== urlObject.port) ); }); if (hasExternalLink && options.hasOwnProperty("headers") && typeof (options.headers) === "object") { diff --git a/test/leak.test.js b/test/leak.test.js index ed15870..f5d71dc 100644 --- a/test/leak.test.js +++ b/test/leak.test.js @@ -5,23 +5,23 @@ var t = require('chai').assert; describe('Information Leak', function () { - it('should not forward cookie headers when the request has a redirect from another protocol/domain/port', function (done) { + it('should not forward cookie headers when the request has a redirect from another protocol/domain/port', function (done) { - request({ - url: 'https://httpbingo.org/redirect-to?url=http://httpbingo.org/cookies', - headers: { - 'Content-Type': 'application/json', - 'cookie': 'ajs_anonymous_id=1234567890', - 'authorization': 'Bearer eyJhb12345abcdef' - }, - json:true - }, function (err, response, body) { - t.deepEqual(Object.keys(body).length, 0); - done(); - }); - }); + request({ + url: 'https://httpbingo.org/redirect-to?url=http://httpbingo.org/cookies', + headers: { + 'Content-Type': 'application/json', + 'cookie': 'ajs_anonymous_id=1234567890', + 'authorization': 'Bearer eyJhb12345abcdef' + }, + json:true + }, function (err, response, body) { + t.deepEqual(Object.keys(body).length, 0); + done(); + }); + }); - it('should forward cookie headers when the request has a redirect from the same protocol/domain/port', function (done) { + it('should forward cookie headers when the request has a redirect from the same protocol/domain/port', function (done) { request({ url: 'https://httpbingo.org/redirect-to?url=https://httpbingo.org/cookies', @@ -39,20 +39,38 @@ describe('Information Leak', function () { }); }); - it('should not forward authorization headers when the request has a redirect', function (done) { + it('should forward cookie headers when the request hasn\'t any redirect', function (done) { - request({ - url: 'https://httpbingo.org/redirect-to?url=http://httpbingo.org/bearer', - headers: { - 'Content-Type': 'application/json', - 'cookie': 'ajs_anonymous_id=1234567890', - 'authorization': 'Bearer eyJhb12345abcdef' - } - }, function (err, response, body) { - t.deepEqual(body, undefined); - done(); - }); + request({ + url: 'https://httpbingo.org/cookies?test=hello', + headers: { + 'Content-Type': 'application/json', + 'cookie': 'ajs_anonymous_id=1234567890', + 'authorization': 'Bearer eyJhb12345abcdef' + }, + json:true + }, function (err, response, body) { + t.deepEqual(body, { + "ajs_anonymous_id": "1234567890" + }); + done(); }); + }); + + it('should not forward authorization headers when the request has a redirect', function (done) { + + request({ + url: 'https://httpbingo.org/redirect-to?url=http://httpbingo.org/bearer', + headers: { + 'Content-Type': 'application/json', + 'cookie': 'ajs_anonymous_id=1234567890', + 'authorization': 'Bearer eyJhb12345abcdef' + } + }, function (err, response, body) { + t.deepEqual(body, undefined); + done(); + }); + }); it('should forward authorization headers when the request has a redirect from the same protocol/domain/port', function (done) { @@ -72,4 +90,22 @@ describe('Information Leak', function () { }); }); + it('should forward authorization headers when the request hasn\'t any redirect', function (done) { + + request({ + url: 'https://httpbingo.org/bearer?test=hello', + headers: { + 'Content-Type': 'application/json', + 'cookie': 'ajs_anonymous_id=1234567890', + 'authorization': 'Bearer eyJhb12345abcdef' + } + }, function (err, response, body) { + t.deepEqual(body, { + "authenticated": true, + "token": "eyJhb12345abcdef" + }); + done(); + }); + }); + });