Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

fix(Headers): don't forward secure headers on protocol change #1599

Merged

Conversation

max-stytch
Copy link
Contributor

Purpose

Resolves https://www.huntr.dev/bounties/db31e05b-ff10-4057-81a3-37445bf161cd/ by validating that the URL protocol remains the same when determining whether to send secure headers on a redirect.
This prevents MITM attacks from sniffing secure headers when a redirect downgrades a https:// to a http://

Changes

Adds an additional check to the redirect follow step to determine whether to send secure headers or not.

Additional information


  • I updated readme
  • I added unit test(s)

@jimmywarting jimmywarting requested review from gr2m and LinusU July 12, 2022 16:32
Copy link
Collaborator

@gr2m gr2m left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

great PR 👍🏼

@jimmywarting jimmywarting merged commit e87b093 into node-fetch:main Jul 18, 2022
@github-actions
Copy link

🎉 This PR is included in version 3.2.9 🎉

The release is available on:

Your semantic-release bot 📦🚀

@victal
Copy link

victal commented Jul 19, 2022

Sorry if this is the wrong place to ask, but since this PR is a fix for a security issue, will (or should) it be backported to the 2.x branch as it was done for #1449?

Is this done automatically or should I (or someone else interested in the fix) open another PR targeting the 2.x branch for that?

victal pushed a commit to victal/node-fetch that referenced this pull request Jul 19, 2022
@jimmywarting
Copy link
Collaborator

if you @victal could create a PR to the v2 branch then that would be grate!

@victal
Copy link

victal commented Jul 19, 2022

Just created #1605 for it, thanks!

jimmywarting pushed a commit that referenced this pull request Jul 19, 2022
backport for #1599 to the 2.x branch

Co-authored-by: Guilherme Victal <guilherme.a@dasa.com.br>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Projects
None yet
Development

Successfully merging this pull request may close these issues.

5 participants