Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

chore: add http proxy test #2433

Merged
merged 1 commit into from
Oct 3, 2024
Merged

chore: add http proxy test #2433

merged 1 commit into from
Oct 3, 2024

Conversation

tripodsan
Copy link
Contributor

No description provided.

@github-actions GitHub Actions
Copy link

github-actions bot commented Oct 3, 2024

This PR will trigger no release when merged.

github-advanced-security[bot]
github-advanced-security bot found potential problems Oct 3, 2024
View reviewed changes
test/server.test.js
try {
// Delete accept header due to nock conflict
delete req.headers.accept;
console.log('http proxy request', req.url);

Check warning

Code scanning / CodeQL

Log injection Medium test

Log entry depends on a
user-provided value
Loading
.

Copilot Autofix AI 3 months ago

To fix the log injection issue, we need to sanitize the req.url before logging it. Specifically, we should remove any newline characters from the URL to prevent log injection attacks. This can be achieved using the String.prototype.replace method to strip out newline characters.

  • General fix: Sanitize user input before logging it to prevent log injection.
  • Detailed fix: Modify the code to replace newline characters in req.url with an empty string before logging it.
  • Specific changes: Update the logging statements on lines 286 and 288 to sanitize req.url.
  • Requirements: No additional methods or definitions are needed, but we will modify the existing logging statements.
Suggested changeset 1
test/server.test.js

Autofix patch

Autofix patch
Run the following command in your local git repository to apply this patch
cat << 'EOF' | git apply
diff --git a/test/server.test.js b/test/server.test.js
--- a/test/server.test.js
+++ b/test/server.test.js
@@ -285,5 +285,6 @@
             delete req.headers.accept;
-            console.log('http proxy request', req.url);
+            const sanitizedUrl = req.url.replace(/\n|\r/g, "");
+            console.log('http proxy request', sanitizedUrl);
             const resp = await h1NoCache().fetch(req.url, {});
-            console.log('http proxy response for', req.url, resp.status);
+            console.log('http proxy response for', sanitizedUrl, resp.status);
             res.writeHead(resp.status, resp.headers.plain());
EOF
@@ -285,5 +285,6 @@
delete req.headers.accept;
console.log('http proxy request', req.url);
const sanitizedUrl = req.url.replace(/\n|\r/g, "");
console.log('http proxy request', sanitizedUrl);
const resp = await h1NoCache().fetch(req.url, {});
console.log('http proxy response for', req.url, resp.status);
console.log('http proxy response for', sanitizedUrl, resp.status);
res.writeHead(resp.status, resp.headers.plain());
Copilot is powered by AI and may make mistakes. Always verify output.
Positive Feedback
Negative Feedback

Provide additional feedback

Please help us improve GitHub Copilot by sharing more details about this comment.

Please select one or more of the options
test/server.test.js
delete req.headers.accept;
console.log('http proxy request', req.url);
const resp = await h1NoCache().fetch(req.url, {});
console.log('http proxy response for', req.url, resp.status);

Check warning

Code scanning / CodeQL

Log injection Medium test

Log entry depends on a
user-provided value
Loading
.

Copilot Autofix AI 3 months ago

To fix the log injection issue, we need to sanitize the req.url before logging it. Specifically, we should remove any newline characters from the URL to prevent log injection attacks. This can be done using the String.prototype.replace method to replace newline characters with an empty string.

Suggested changeset 1
test/server.test.js

Autofix patch

Autofix patch
Run the following command in your local git repository to apply this patch
cat << 'EOF' | git apply
diff --git a/test/server.test.js b/test/server.test.js
--- a/test/server.test.js
+++ b/test/server.test.js
@@ -285,5 +285,6 @@
             delete req.headers.accept;
-            console.log('http proxy request', req.url);
-            const resp = await h1NoCache().fetch(req.url, {});
-            console.log('http proxy response for', req.url, resp.status);
+            const sanitizedUrl = req.url.replace(/\n|\r/g, "");
+            console.log('http proxy request', sanitizedUrl);
+            const resp = await h1NoCache().fetch(sanitizedUrl, {});
+            console.log('http proxy response for', sanitizedUrl, resp.status);
             res.writeHead(resp.status, resp.headers.plain());
EOF
@@ -285,5 +285,6 @@
delete req.headers.accept;
console.log('http proxy request', req.url);
const resp = await h1NoCache().fetch(req.url, {});
console.log('http proxy response for', req.url, resp.status);
const sanitizedUrl = req.url.replace(/\n|\r/g, "");
console.log('http proxy request', sanitizedUrl);
const resp = await h1NoCache().fetch(sanitizedUrl, {});
console.log('http proxy response for', sanitizedUrl, resp.status);
res.writeHead(resp.status, resp.headers.plain());
Copilot is powered by AI and may make mistakes. Always verify output.
Positive Feedback
Negative Feedback

Provide additional feedback

Please help us improve GitHub Copilot by sharing more details about this comment.

Please select one or more of the options
@tripodsan tripodsan merged commit 069c0f1 into main Oct 3, 2024
9 checks passed
@tripodsan tripodsan deleted the add-test-for-http-proxy branch October 3, 2024 17:27
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
1 participant
@tripodsan